qwqdanchun
/
ReBeacon_Src
mirror of https://github.com/qwqdanchun/ReBeacon_Src.git
1
0
Fork 1
Code Issues Projects Releases Wiki Activity
ReBeacon_Src/include/Veil/Veil/Veil.System.Executive.h

6486 lines
173 KiB
C
Raw Blame History

/*
* PROJECT: Veil
* FILE: Veil.h
* PURPOSE: Definition for the Windows Internal API from ntdll.dll,
* samlib.dll and winsta.dll
*
* LICENSE: Relicensed under The MIT License from The CC BY 4.0 License
*
* DEVELOPER: MiroKaku (50670906+MiroKaku@users.noreply.github.com)
*/
/*
* PROJECT: Mouri's Internal NT API Collections (MINT)
* FILE: MINT.h
* PURPOSE: Definition for the Windows Internal API from ntdll.dll,
* samlib.dll and winsta.dll
*
* LICENSE: Relicensed under The MIT License from The CC BY 4.0 License
*
* DEVELOPER: Mouri_Naruto (Mouri_Naruto AT Outlook.com)
*/
/*
* This file is part of the Process Hacker project - https://processhacker.sf.io/
*
* You can redistribute this file and/or modify it under the terms of the
* Attribution 4.0 International (CC BY 4.0) license.
*
* You must give appropriate credit, provide a link to the license, and
* indicate if changes were made. You may do so in any reasonable manner, but
* not in any way that suggests the licensor endorses you or your use.
*/
#pragma once
// Warnings which disabled for compiling
#if _MSC_VER >= 1200
#pragma warning(push)
// nonstandard extension used : nameless struct/union
#pragma warning(disable:4201)
// 'struct_name' : structure was padded due to __declspec(align())
#pragma warning(disable:4324)
// 'enumeration': a forward declaration of an unscoped enumeration must have an
// underlying type (int assumed)
#pragma warning(disable:4471)
#endif
VEIL_BEGIN()
//
// Thread execution
//
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
NtDelayExecution(
_In_ BOOLEAN Alertable,
_In_opt_ PLARGE_INTEGER DelayInterval
);
_IRQL_requires_max_(PASSIVE_LEVEL)
NTSYSAPI
NTSTATUS
NTAPI
ZwDelayExecution(
_In_ BOOLEAN Alertable,
_In_opt_ PLARGE_INTEGER DelayInterval
);
//
// Environment values
//
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
NtQuerySystemEnvironmentValue(
_In_ PUNICODE_STRING VariableName,
_Out_writes_bytes_(ValueLength) PWSTR VariableValue,
_In_ USHORT ValueLength,
_Out_opt_ PUSHORT ReturnLength
);
_IRQL_requires_max_(PASSIVE_LEVEL)
NTSYSAPI
NTSTATUS
NTAPI
ZwQuerySystemEnvironmentValue(
_In_ PUNICODE_STRING VariableName,
_Out_writes_bytes_(ValueLength) PWSTR VariableValue,
_In_ USHORT ValueLength,
_Out_opt_ PUSHORT ReturnLength
);
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
NtSetSystemEnvironmentValue(
_In_ PUNICODE_STRING VariableName,
_In_ PUNICODE_STRING VariableValue
);
_IRQL_requires_max_(PASSIVE_LEVEL)
NTSYSAPI
NTSTATUS
NTAPI
ZwSetSystemEnvironmentValue(
_In_ PUNICODE_STRING VariableName,
_In_ PUNICODE_STRING VariableValue
);
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
NtQuerySystemEnvironmentValueEx(
_In_ PUNICODE_STRING VariableName,
_In_ LPGUID VendorGuid,
_Out_writes_bytes_opt_(*ValueLength) PVOID Value,
_Inout_ PULONG ValueLength,
_Out_opt_ PULONG Attributes
);
_IRQL_requires_max_(PASSIVE_LEVEL)
NTSYSAPI
NTSTATUS
NTAPI
ZwQuerySystemEnvironmentValueEx(
_In_ PUNICODE_STRING VariableName,
_In_ LPGUID VendorGuid,
_Out_writes_bytes_opt_(*ValueLength) PVOID Value,
_Inout_ PULONG ValueLength,
_Out_opt_ PULONG Attributes
);
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
NtSetSystemEnvironmentValueEx(
_In_ PUNICODE_STRING VariableName,
_In_ LPGUID VendorGuid,
_In_reads_bytes_opt_(ValueLength) PVOID Value,
_In_ ULONG ValueLength,
_In_ ULONG Attributes
);
_IRQL_requires_max_(PASSIVE_LEVEL)
NTSYSAPI
NTSTATUS
NTAPI
ZwSetSystemEnvironmentValueEx(
_In_ PUNICODE_STRING VariableName,
_In_ LPGUID VendorGuid,
_In_reads_bytes_opt_(ValueLength) PVOID Value,
_In_ ULONG ValueLength,
_In_ ULONG Attributes
);
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
NtEnumerateSystemEnvironmentValuesEx(
_In_ ULONG InformationClass,
_Out_ PVOID Buffer,
_Inout_ PULONG BufferLength
);
_IRQL_requires_max_(PASSIVE_LEVEL)
NTSYSAPI
NTSTATUS
NTAPI
ZwEnumerateSystemEnvironmentValuesEx(
_In_ ULONG InformationClass,
_Out_ PVOID Buffer,
_Inout_ PULONG BufferLength
);
//
// EFI
//
// private
typedef struct _BOOT_ENTRY
{
ULONG Version;
ULONG Length;
ULONG Id;
ULONG Attributes;
ULONG FriendlyNameOffset;
ULONG BootFilePathOffset;
ULONG OsOptionsLength;
UCHAR OsOptions[1];
} BOOT_ENTRY, * PBOOT_ENTRY;
// private
typedef struct _BOOT_ENTRY_LIST
{
ULONG NextEntryOffset;
BOOT_ENTRY BootEntry;
} BOOT_ENTRY_LIST, * PBOOT_ENTRY_LIST;
// private
typedef struct _BOOT_OPTIONS
{
ULONG Version;
ULONG Length;
ULONG Timeout;
ULONG CurrentBootEntryId;
ULONG NextBootEntryId;
WCHAR HeadlessRedirection[1];
} BOOT_OPTIONS, * PBOOT_OPTIONS;
// private
typedef struct _FILE_PATH
{
ULONG Version;
ULONG Length;
ULONG Type;
UCHAR FilePath[1];
} FILE_PATH, * PFILE_PATH;
// private
typedef struct _EFI_DRIVER_ENTRY
{
ULONG Version;
ULONG Length;
ULONG Id;
ULONG FriendlyNameOffset;
ULONG DriverFilePathOffset;
} EFI_DRIVER_ENTRY, * PEFI_DRIVER_ENTRY;
// private
typedef struct _EFI_DRIVER_ENTRY_LIST
{
ULONG NextEntryOffset;
EFI_DRIVER_ENTRY DriverEntry;
} EFI_DRIVER_ENTRY_LIST, * PEFI_DRIVER_ENTRY_LIST;
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
NtAddBootEntry(
_In_ PBOOT_ENTRY BootEntry,
_Out_opt_ PULONG Id
);
_IRQL_requires_max_(PASSIVE_LEVEL)
NTSYSAPI
NTSTATUS
NTAPI
ZwAddBootEntry(
_In_ PBOOT_ENTRY BootEntry,
_Out_opt_ PULONG Id
);
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
NtDeleteBootEntry(
_In_ ULONG Id
);
_IRQL_requires_max_(PASSIVE_LEVEL)
NTSYSAPI
NTSTATUS
NTAPI
ZwDeleteBootEntry(
_In_ ULONG Id
);
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
NtModifyBootEntry(
_In_ PBOOT_ENTRY BootEntry
);
_IRQL_requires_max_(PASSIVE_LEVEL)
NTSYSAPI
NTSTATUS
NTAPI
ZwModifyBootEntry(
_In_ PBOOT_ENTRY BootEntry
);
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
NtEnumerateBootEntries(
_Out_writes_bytes_opt_(*BufferLength) PVOID Buffer,
_Inout_ PULONG BufferLength
);
_IRQL_requires_max_(PASSIVE_LEVEL)
NTSYSAPI
NTSTATUS
NTAPI
ZwEnumerateBootEntries(
_Out_writes_bytes_opt_(*BufferLength) PVOID Buffer,
_Inout_ PULONG BufferLength
);
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
NtQueryBootEntryOrder(
_Out_writes_opt_(*Count) PULONG Ids,
_Inout_ PULONG Count
);
_IRQL_requires_max_(PASSIVE_LEVEL)
NTSYSAPI
NTSTATUS
NTAPI
ZwQueryBootEntryOrder(
_Out_writes_opt_(*Count) PULONG Ids,
_Inout_ PULONG Count
);
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
NtSetBootEntryOrder(
_In_reads_(Count) PULONG Ids,
_In_ ULONG Count
);
_IRQL_requires_max_(PASSIVE_LEVEL)
NTSYSAPI
NTSTATUS
NTAPI
ZwSetBootEntryOrder(
_In_reads_(Count) PULONG Ids,
_In_ ULONG Count
);
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
NtQueryBootOptions(
_Out_writes_bytes_opt_(*BootOptionsLength) PBOOT_OPTIONS BootOptions,
_Inout_ PULONG BootOptionsLength
);
_IRQL_requires_max_(PASSIVE_LEVEL)
NTSYSAPI
NTSTATUS
NTAPI
ZwQueryBootOptions(
_Out_writes_bytes_opt_(*BootOptionsLength) PBOOT_OPTIONS BootOptions,
_Inout_ PULONG BootOptionsLength
);
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
NtSetBootOptions(
_In_ PBOOT_OPTIONS BootOptions,
_In_ ULONG FieldsToChange
);
_IRQL_requires_max_(PASSIVE_LEVEL)
NTSYSAPI
NTSTATUS
NTAPI
ZwSetBootOptions(
_In_ PBOOT_OPTIONS BootOptions,
_In_ ULONG FieldsToChange
);
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
NtTranslateFilePath(
_In_ PFILE_PATH InputFilePath,
_In_ ULONG OutputType,
_Out_writes_bytes_opt_(*OutputFilePathLength) PFILE_PATH OutputFilePath,
_Inout_opt_ PULONG OutputFilePathLength
);
_IRQL_requires_max_(PASSIVE_LEVEL)
NTSYSAPI
NTSTATUS
NTAPI
ZwTranslateFilePath(
_In_ PFILE_PATH InputFilePath,
_In_ ULONG OutputType,
_Out_writes_bytes_opt_(*OutputFilePathLength) PFILE_PATH OutputFilePath,
_Inout_opt_ PULONG OutputFilePathLength
);
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
NtAddDriverEntry(
_In_ PEFI_DRIVER_ENTRY DriverEntry,
_Out_opt_ PULONG Id
);
_IRQL_requires_max_(PASSIVE_LEVEL)
NTSYSAPI
NTSTATUS
NTAPI
ZwAddDriverEntry(
_In_ PEFI_DRIVER_ENTRY DriverEntry,
_Out_opt_ PULONG Id
);
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
NtDeleteDriverEntry(
_In_ ULONG Id
);
_IRQL_requires_max_(PASSIVE_LEVEL)
NTSYSAPI
NTSTATUS
NTAPI
ZwDeleteDriverEntry(
_In_ ULONG Id
);
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
NtModifyDriverEntry(
_In_ PEFI_DRIVER_ENTRY DriverEntry
);
_IRQL_requires_max_(PASSIVE_LEVEL)
NTSYSAPI
NTSTATUS
NTAPI
ZwModifyDriverEntry(
_In_ PEFI_DRIVER_ENTRY DriverEntry
);
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
NtEnumerateDriverEntries(
_Out_writes_bytes_opt_(*BufferLength) PVOID Buffer,
_Inout_ PULONG BufferLength
);
_IRQL_requires_max_(PASSIVE_LEVEL)
NTSYSAPI
NTSTATUS
NTAPI
ZwEnumerateDriverEntries(
_Out_writes_bytes_opt_(*BufferLength) PVOID Buffer,
_Inout_ PULONG BufferLength
);
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
NtQueryDriverEntryOrder(
_Out_writes_opt_(*Count) PULONG Ids,
_Inout_ PULONG Count
);
_IRQL_requires_max_(PASSIVE_LEVEL)
NTSYSAPI
NTSTATUS
NTAPI
ZwQueryDriverEntryOrder(
_Out_writes_opt_(*Count) PULONG Ids,
_Inout_ PULONG Count
);
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
NtSetDriverEntryOrder(
_In_reads_(Count) PULONG Ids,
_In_ ULONG Count
);
_IRQL_requires_max_(PASSIVE_LEVEL)
NTSYSAPI
NTSTATUS
NTAPI
ZwSetDriverEntryOrder(
_In_reads_(Count) PULONG Ids,
_In_ ULONG Count
);
typedef enum _FILTER_BOOT_OPTION_OPERATION
{
FilterBootOptionOperationOpenSystemStore,
FilterBootOptionOperationSetElement,
FilterBootOptionOperationDeleteElement,
FilterBootOptionOperationMax
} FILTER_BOOT_OPTION_OPERATION;
#if (NTDDI_VERSION >= NTDDI_WIN10)
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
NtFilterBootOption(
_In_ FILTER_BOOT_OPTION_OPERATION FilterOperation,
_In_ ULONG ObjectType,
_In_ ULONG ElementType,
_In_reads_bytes_opt_(DataSize) PVOID Data,
_In_ ULONG DataSize
);
_IRQL_requires_max_(PASSIVE_LEVEL)
NTSYSAPI
NTSTATUS
NTAPI
ZwFilterBootOption(
_In_ FILTER_BOOT_OPTION_OPERATION FilterOperation,
_In_ ULONG ObjectType,
_In_ ULONG ElementType,
_In_reads_bytes_opt_(DataSize) PVOID Data,
_In_ ULONG DataSize
);
#endif
//
// Event
//
#define EVENT_QUERY_STATE 0x0001
#define EVENT_MODIFY_STATE 0x0002
#define EVENT_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED|SYNCHRONIZE|0x3)
typedef enum _EVENT_INFORMATION_CLASS
{
EventBasicInformation
} EVENT_INFORMATION_CLASS;
typedef struct _EVENT_BASIC_INFORMATION
{
EVENT_TYPE EventType;
LONG EventState;
} EVENT_BASIC_INFORMATION, * PEVENT_BASIC_INFORMATION;
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
NtCreateEvent(
_Out_ PHANDLE EventHandle,
_In_ ACCESS_MASK DesiredAccess,
_In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
_In_ EVENT_TYPE EventType,
_In_ BOOLEAN InitialState
);
_IRQL_requires_max_(PASSIVE_LEVEL)
NTSYSAPI
NTSTATUS
NTAPI
ZwCreateEvent(
_Out_ PHANDLE EventHandle,
_In_ ACCESS_MASK DesiredAccess,
_In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
_In_ EVENT_TYPE EventType,
_In_ BOOLEAN InitialState
);
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
NtOpenEvent(
_Out_ PHANDLE EventHandle,
_In_ ACCESS_MASK DesiredAccess,
_In_ POBJECT_ATTRIBUTES ObjectAttributes
);
_IRQL_requires_max_(PASSIVE_LEVEL)
NTSYSAPI
NTSTATUS
NTAPI
ZwOpenEvent(
_Out_ PHANDLE EventHandle,
_In_ ACCESS_MASK DesiredAccess,
_In_ POBJECT_ATTRIBUTES ObjectAttributes
);
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
NtSetEvent(
_In_ HANDLE EventHandle,
_Out_opt_ PLONG PreviousState
);
_IRQL_requires_max_(PASSIVE_LEVEL)
NTSYSAPI
NTSTATUS
NTAPI
ZwSetEvent(
_In_ HANDLE EventHandle,
_Out_opt_ PLONG PreviousState
);
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
NtSetEventBoostPriority(
_In_ HANDLE EventHandle
);
_IRQL_requires_max_(PASSIVE_LEVEL)
NTSYSAPI
NTSTATUS
NTAPI
ZwSetEventBoostPriority(
_In_ HANDLE EventHandle
);
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
NtClearEvent(
_In_ HANDLE EventHandle
);
_IRQL_requires_max_(PASSIVE_LEVEL)
NTSYSAPI
NTSTATUS
NTAPI
ZwClearEvent(
_In_ HANDLE EventHandle
);
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
NtResetEvent(
_In_ HANDLE EventHandle,
_Out_opt_ PLONG PreviousState
);
_IRQL_requires_max_(PASSIVE_LEVEL)
NTSYSAPI
NTSTATUS
NTAPI
ZwResetEvent(
_In_ HANDLE EventHandle,
_Out_opt_ PLONG PreviousState
);
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
NtPulseEvent(
_In_ HANDLE EventHandle,
_Out_opt_ PLONG PreviousState
);
_IRQL_requires_max_(PASSIVE_LEVEL)
NTSYSAPI
NTSTATUS
NTAPI
ZwPulseEvent(
_In_ HANDLE EventHandle,
_Out_opt_ PLONG PreviousState
);
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
NtQueryEvent(
_In_ HANDLE EventHandle,
_In_ EVENT_INFORMATION_CLASS EventInformationClass,
_Out_writes_bytes_(EventInformationLength) PVOID EventInformation,
_In_ ULONG EventInformationLength,
_Out_opt_ PULONG ReturnLength
);
_IRQL_requires_max_(PASSIVE_LEVEL)
NTSYSAPI
NTSTATUS
NTAPI
ZwQueryEvent(
_In_ HANDLE EventHandle,
_In_ EVENT_INFORMATION_CLASS EventInformationClass,
_Out_writes_bytes_(EventInformationLength) PVOID EventInformation,
_In_ ULONG EventInformationLength,
_Out_opt_ PULONG ReturnLength
);
//
// Event Pair
//
#define EVENT_PAIR_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE)
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
NtCreateEventPair(
_Out_ PHANDLE EventPairHandle,
_In_ ACCESS_MASK DesiredAccess,
_In_opt_ POBJECT_ATTRIBUTES ObjectAttributes
);
_IRQL_requires_max_(PASSIVE_LEVEL)
NTSYSAPI
NTSTATUS
NTAPI
ZwCreateEventPair(
_Out_ PHANDLE EventPairHandle,
_In_ ACCESS_MASK DesiredAccess,
_In_opt_ POBJECT_ATTRIBUTES ObjectAttributes
);
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
NtOpenEventPair(
_Out_ PHANDLE EventPairHandle,
_In_ ACCESS_MASK DesiredAccess,
_In_ POBJECT_ATTRIBUTES ObjectAttributes
);
_IRQL_requires_max_(PASSIVE_LEVEL)
NTSYSAPI
NTSTATUS
NTAPI
ZwOpenEventPair(
_Out_ PHANDLE EventPairHandle,
_In_ ACCESS_MASK DesiredAccess,
_In_ POBJECT_ATTRIBUTES ObjectAttributes
);
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
NtSetLowEventPair(
_In_ HANDLE EventPairHandle
);
_IRQL_requires_max_(PASSIVE_LEVEL)
NTSYSAPI
NTSTATUS
NTAPI
ZwSetLowEventPair(
_In_ HANDLE EventPairHandle
);
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
NtSetHighEventPair(
_In_ HANDLE EventPairHandle
);
_IRQL_requires_max_(PASSIVE_LEVEL)
NTSYSAPI
NTSTATUS
NTAPI
ZwSetHighEventPair(
_In_ HANDLE EventPairHandle
);
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
NtWaitLowEventPair(
_In_ HANDLE EventPairHandle
);
_IRQL_requires_max_(PASSIVE_LEVEL)
NTSYSAPI
NTSTATUS
NTAPI
ZwWaitLowEventPair(
_In_ HANDLE EventPairHandle
);
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
NtWaitHighEventPair(
_In_ HANDLE EventPairHandle
);
_IRQL_requires_max_(PASSIVE_LEVEL)
NTSYSAPI
NTSTATUS
NTAPI
ZwWaitHighEventPair(
_In_ HANDLE EventPairHandle
);
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
NtSetLowWaitHighEventPair(
_In_ HANDLE EventPairHandle
);
_IRQL_requires_max_(PASSIVE_LEVEL)
NTSYSAPI
NTSTATUS
NTAPI
ZwSetLowWaitHighEventPair(
_In_ HANDLE EventPairHandle
);
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
NtSetHighWaitLowEventPair(
_In_ HANDLE EventPairHandle
);
_IRQL_requires_max_(PASSIVE_LEVEL)
NTSYSAPI
NTSTATUS
NTAPI
ZwSetHighWaitLowEventPair(
_In_ HANDLE EventPairHandle
);
//
// Mutant
//
typedef enum _MUTANT_INFORMATION_CLASS
{
MutantBasicInformation, // MUTANT_BASIC_INFORMATION
MutantOwnerInformation // MUTANT_OWNER_INFORMATION
} MUTANT_INFORMATION_CLASS;
typedef struct _MUTANT_BASIC_INFORMATION
{
LONG CurrentCount;
BOOLEAN OwnedByCaller;
BOOLEAN AbandonedState;
} MUTANT_BASIC_INFORMATION, * PMUTANT_BASIC_INFORMATION;
typedef struct _MUTANT_OWNER_INFORMATION
{
CLIENT_ID ClientId;
} MUTANT_OWNER_INFORMATION, * PMUTANT_OWNER_INFORMATION;
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
NtCreateMutant(
_Out_ PHANDLE MutantHandle,
_In_ ACCESS_MASK DesiredAccess,
_In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
_In_ BOOLEAN InitialOwner
);
_IRQL_requires_max_(PASSIVE_LEVEL)
NTSYSAPI
NTSTATUS
NTAPI
ZwCreateMutant(
_Out_ PHANDLE MutantHandle,
_In_ ACCESS_MASK DesiredAccess,
_In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
_In_ BOOLEAN InitialOwner
);
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
NtOpenMutant(
_Out_ PHANDLE MutantHandle,
_In_ ACCESS_MASK DesiredAccess,
_In_ POBJECT_ATTRIBUTES ObjectAttributes
);
_IRQL_requires_max_(PASSIVE_LEVEL)
NTSYSAPI
NTSTATUS
NTAPI
ZwOpenMutant(
_Out_ PHANDLE MutantHandle,
_In_ ACCESS_MASK DesiredAccess,
_In_ POBJECT_ATTRIBUTES ObjectAttributes
);
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
NtReleaseMutant(
_In_ HANDLE MutantHandle,
_Out_opt_ PLONG PreviousCount
);
_IRQL_requires_max_(PASSIVE_LEVEL)
NTSYSAPI
NTSTATUS
NTAPI
ZwReleaseMutant(
_In_ HANDLE MutantHandle,
_Out_opt_ PLONG PreviousCount
);
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
NtQueryMutant(
_In_ HANDLE MutantHandle,
_In_ MUTANT_INFORMATION_CLASS MutantInformationClass,
_Out_writes_bytes_(MutantInformationLength) PVOID MutantInformation,
_In_ ULONG MutantInformationLength,
_Out_opt_ PULONG ReturnLength
);
_IRQL_requires_max_(PASSIVE_LEVEL)
NTSYSAPI
NTSTATUS
NTAPI
ZwQueryMutant(
_In_ HANDLE MutantHandle,
_In_ MUTANT_INFORMATION_CLASS MutantInformationClass,
_Out_writes_bytes_(MutantInformationLength) PVOID MutantInformation,
_In_ ULONG MutantInformationLength,
_Out_opt_ PULONG ReturnLength
);
//
// Semaphore
//
#define SEMAPHORE_QUERY_STATE 0x0001
#define SEMAPHORE_MODIFY_STATE 0x0002
#define SEMAPHORE_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED|SYNCHRONIZE|0x3)
typedef enum _SEMAPHORE_INFORMATION_CLASS
{
SemaphoreBasicInformation
} SEMAPHORE_INFORMATION_CLASS;
typedef struct _SEMAPHORE_BASIC_INFORMATION
{
LONG CurrentCount;
LONG MaximumCount;
} SEMAPHORE_BASIC_INFORMATION, * PSEMAPHORE_BASIC_INFORMATION;
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
NtCreateSemaphore(
_Out_ PHANDLE SemaphoreHandle,
_In_ ACCESS_MASK DesiredAccess,
_In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
_In_ LONG InitialCount,
_In_ LONG MaximumCount
);
_IRQL_requires_max_(PASSIVE_LEVEL)
NTSYSAPI
NTSTATUS
NTAPI
ZwCreateSemaphore(
_Out_ PHANDLE SemaphoreHandle,
_In_ ACCESS_MASK DesiredAccess,
_In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
_In_ LONG InitialCount,
_In_ LONG MaximumCount
);
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
NtOpenSemaphore(
_Out_ PHANDLE SemaphoreHandle,
_In_ ACCESS_MASK DesiredAccess,
_In_ POBJECT_ATTRIBUTES ObjectAttributes
);
_IRQL_requires_max_(PASSIVE_LEVEL)
NTSYSAPI
NTSTATUS
NTAPI
ZwOpenSemaphore(
_Out_ PHANDLE SemaphoreHandle,
_In_ ACCESS_MASK DesiredAccess,
_In_ POBJECT_ATTRIBUTES ObjectAttributes
);
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
NtReleaseSemaphore(
_In_ HANDLE SemaphoreHandle,
_In_ LONG ReleaseCount,
_Out_opt_ PLONG PreviousCount
);
_IRQL_requires_max_(PASSIVE_LEVEL)
NTSYSAPI
NTSTATUS
NTAPI
ZwReleaseSemaphore(
_In_ HANDLE SemaphoreHandle,
_In_ LONG ReleaseCount,
_Out_opt_ PLONG PreviousCount
);
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
NtQuerySemaphore(
_In_ HANDLE SemaphoreHandle,
_In_ SEMAPHORE_INFORMATION_CLASS SemaphoreInformationClass,
_Out_writes_bytes_(SemaphoreInformationLength) PVOID SemaphoreInformation,
_In_ ULONG SemaphoreInformationLength,
_Out_opt_ PULONG ReturnLength
);
_IRQL_requires_max_(PASSIVE_LEVEL)
NTSYSAPI
NTSTATUS
NTAPI
ZwQuerySemaphore(
_In_ HANDLE SemaphoreHandle,
_In_ SEMAPHORE_INFORMATION_CLASS SemaphoreInformationClass,
_Out_writes_bytes_(SemaphoreInformationLength) PVOID SemaphoreInformation,
_In_ ULONG SemaphoreInformationLength,
_Out_opt_ PULONG ReturnLength
);
//
// Timer
//
typedef enum _TIMER_INFORMATION_CLASS
{
TimerBasicInformation // TIMER_BASIC_INFORMATION
} TIMER_INFORMATION_CLASS;
typedef struct _TIMER_BASIC_INFORMATION
{
LARGE_INTEGER RemainingTime;
BOOLEAN TimerState;
} TIMER_BASIC_INFORMATION, * PTIMER_BASIC_INFORMATION;
#ifndef _KERNEL_MODE
typedef VOID(NTAPI* PTIMER_APC_ROUTINE)(
_In_ PVOID TimerContext,
_In_ ULONG TimerLowValue,
_In_ LONG TimerHighValue
);
typedef enum _TIMER_SET_INFORMATION_CLASS
{
TimerSetCoalescableTimer, // TIMER_SET_COALESCABLE_TIMER_INFO
MaxTimerInfoClass
} TIMER_SET_INFORMATION_CLASS;
#if (NTDDI_VERSION >= NTDDI_WIN7)
struct _COUNTED_REASON_CONTEXT;
typedef struct _TIMER_SET_COALESCABLE_TIMER_INFO
{
_In_ LARGE_INTEGER DueTime;
_In_opt_ PTIMER_APC_ROUTINE TimerApcRoutine;
_In_opt_ PVOID TimerContext;
_In_opt_ struct _COUNTED_REASON_CONTEXT* WakeContext;
_In_opt_ ULONG Period;
_In_ ULONG TolerableDelay;
_Out_opt_ PBOOLEAN PreviousState;
} TIMER_SET_COALESCABLE_TIMER_INFO, * PTIMER_SET_COALESCABLE_TIMER_INFO;
#endif
#endif // _KERNEL_MODE
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
NtCreateTimer(
_Out_ PHANDLE TimerHandle,
_In_ ACCESS_MASK DesiredAccess,
_In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
_In_ TIMER_TYPE TimerType
);
_IRQL_requires_max_(PASSIVE_LEVEL)
_When_(return = 0, __drv_allocatesMem(TimerObject))
NTSTATUS
ZwCreateTimer(
_Out_ PHANDLE TimerHandle,
_In_ ACCESS_MASK DesiredAccess,
_In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
_In_ TIMER_TYPE TimerType
);
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
NtOpenTimer(
_Out_ PHANDLE TimerHandle,
_In_ ACCESS_MASK DesiredAccess,
_In_ POBJECT_ATTRIBUTES ObjectAttributes
);
_IRQL_requires_max_(PASSIVE_LEVEL)
NTSTATUS
ZwOpenTimer(
_Out_ PHANDLE TimerHandle,
_In_ ACCESS_MASK DesiredAccess,
_In_ POBJECT_ATTRIBUTES ObjectAttributes
);
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
NtSetTimer(
_In_ HANDLE TimerHandle,
_In_ PLARGE_INTEGER DueTime,
_In_opt_ PTIMER_APC_ROUTINE TimerApcRoutine,
_In_opt_ PVOID TimerContext,
_In_ BOOLEAN ResumeTimer,
_In_opt_ LONG Period,
_Out_opt_ PBOOLEAN PreviousState
);
_IRQL_requires_max_(PASSIVE_LEVEL)
NTSTATUS
ZwSetTimer(
_In_ HANDLE TimerHandle,
_In_ PLARGE_INTEGER DueTime,
_In_opt_ PTIMER_APC_ROUTINE TimerApcRoutine,
_In_opt_ PVOID TimerContext,
_In_ BOOLEAN ResumeTimer,
_In_opt_ LONG Period,
_Out_opt_ PBOOLEAN PreviousState
);
#if (NTDDI_VERSION >= NTDDI_WIN7)
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
NtSetTimerEx(
_In_ HANDLE TimerHandle,
_In_ TIMER_SET_INFORMATION_CLASS TimerSetInformationClass,
_Inout_updates_bytes_opt_(TimerSetInformationLength) PVOID TimerSetInformation,
_In_ ULONG TimerSetInformationLength
);
_IRQL_requires_max_(PASSIVE_LEVEL)
NTSTATUS
ZwSetTimerEx(
_In_ HANDLE TimerHandle,
_In_ TIMER_SET_INFORMATION_CLASS TimerSetInformationClass,
_Inout_updates_bytes_opt_(TimerSetInformationLength) PVOID TimerSetInformation,
_In_ ULONG TimerSetInformationLength
);
#endif
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
NtCancelTimer(
_In_ HANDLE TimerHandle,
_Out_opt_ PBOOLEAN CurrentState
);
_IRQL_requires_max_(PASSIVE_LEVEL)
NTSTATUS
ZwCancelTimer(
_In_ HANDLE TimerHandle,
_Out_opt_ PBOOLEAN CurrentState
);
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
NtQueryTimer(
_In_ HANDLE TimerHandle,
_In_ TIMER_INFORMATION_CLASS TimerInformationClass,
_Out_writes_bytes_(TimerInformationLength) PVOID TimerInformation,
_In_ ULONG TimerInformationLength,
_Out_opt_ PULONG ReturnLength
);
_IRQL_requires_max_(PASSIVE_LEVEL)
NTSYSAPI
NTSTATUS
NTAPI
ZwQueryTimer(
_In_ HANDLE TimerHandle,
_In_ TIMER_INFORMATION_CLASS TimerInformationClass,
_Out_writes_bytes_(TimerInformationLength) PVOID TimerInformation,
_In_ ULONG TimerInformationLength,
_Out_opt_ PULONG ReturnLength
);
#if (NTDDI_VERSION >= NTDDI_WIN8)
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
NtCreateIRTimer(
_Out_ PHANDLE TimerHandle,
_In_ ACCESS_MASK DesiredAccess
);
_IRQL_requires_max_(PASSIVE_LEVEL)
NTSYSAPI
NTSTATUS
NTAPI
ZwCreateIRTimer(
_Out_ PHANDLE TimerHandle,
_In_ ACCESS_MASK DesiredAccess
);
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
NtSetIRTimer(
_In_ HANDLE TimerHandle,
_In_opt_ PLARGE_INTEGER DueTime
);
_IRQL_requires_max_(PASSIVE_LEVEL)
NTSYSAPI
NTSTATUS
NTAPI
ZwSetIRTimer(
_In_ HANDLE TimerHandle,
_In_opt_ PLARGE_INTEGER DueTime
);
#endif
typedef struct _T2_SET_PARAMETERS_V0
{
ULONG Version;
ULONG Reserved;
LONGLONG NoWakeTolerance;
} T2_SET_PARAMETERS, * PT2_SET_PARAMETERS;
typedef PVOID PT2_CANCEL_PARAMETERS;
#if (NTDDI_VERSION >= NTDDI_WINBLUE)
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
NtCreateTimer2(
_Out_ PHANDLE TimerHandle,
_In_opt_ PVOID Reserved1,
_In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
_In_ ULONG Attributes,
_In_ ACCESS_MASK DesiredAccess
);
_IRQL_requires_max_(PASSIVE_LEVEL)
NTSYSAPI
NTSTATUS
NTAPI
ZwCreateTimer2(
_Out_ PHANDLE TimerHandle,
_In_opt_ PVOID Reserved1,
_In_opt_ PVOID Reserved2,
_In_ ULONG Attributes,
_In_ ACCESS_MASK DesiredAccess
);
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
NtSetTimer2(
_In_ HANDLE TimerHandle,
_In_ PLARGE_INTEGER DueTime,
_In_opt_ PLARGE_INTEGER Period,
_In_ PT2_SET_PARAMETERS Parameters
);
_IRQL_requires_max_(PASSIVE_LEVEL)
NTSYSAPI
NTSTATUS
NTAPI
ZwSetTimer2(
_In_ HANDLE TimerHandle,
_In_ PLARGE_INTEGER DueTime,
_In_opt_ PLARGE_INTEGER Period,
_In_ PT2_SET_PARAMETERS Parameters
);
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
NtCancelTimer2(
_In_ HANDLE TimerHandle,
_In_ PT2_CANCEL_PARAMETERS Parameters
);
_IRQL_requires_max_(PASSIVE_LEVEL)
NTSYSAPI
NTSTATUS
NTAPI
ZwCancelTimer2(
_In_ HANDLE TimerHandle,
_In_ PT2_CANCEL_PARAMETERS Parameters
);
#endif // NTDDI_VERSION >= NTDDI_WINBLUE
//
// Profile
//
#define PROFILE_CONTROL 0x0001
#define PROFILE_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | PROFILE_CONTROL)
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
NtCreateProfile(
_Out_ PHANDLE ProfileHandle,
_In_opt_ HANDLE Process,
_In_ PVOID ProfileBase,
_In_ SIZE_T ProfileSize,
_In_ ULONG BucketSize,
_In_reads_bytes_(BufferSize) PULONG Buffer,
_In_ ULONG BufferSize,
_In_ KPROFILE_SOURCE ProfileSource,
_In_ KAFFINITY Affinity
);
_IRQL_requires_max_(PASSIVE_LEVEL)
NTSYSAPI
NTSTATUS
NTAPI
ZwCreateProfile(
_Out_ PHANDLE ProfileHandle,
_In_opt_ HANDLE Process,
_In_ PVOID ProfileBase,
_In_ SIZE_T ProfileSize,
_In_ ULONG BucketSize,
_In_reads_bytes_(BufferSize) PULONG Buffer,
_In_ ULONG BufferSize,
_In_ KPROFILE_SOURCE ProfileSource,
_In_ KAFFINITY Affinity
);
#if (NTDDI_VERSION >= NTDDI_WIN7)
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
NtCreateProfileEx(
_Out_ PHANDLE ProfileHandle,
_In_opt_ HANDLE Process,
_In_ PVOID ProfileBase,
_In_ SIZE_T ProfileSize,
_In_ ULONG BucketSize,
_In_reads_bytes_(BufferSize) PULONG Buffer,
_In_ ULONG BufferSize,
_In_ KPROFILE_SOURCE ProfileSource,
_In_ USHORT GroupCount,
_In_reads_(GroupCount) PGROUP_AFFINITY GroupAffinity
);
_IRQL_requires_max_(PASSIVE_LEVEL)
NTSYSAPI
NTSTATUS
NTAPI
ZwCreateProfileEx(
_Out_ PHANDLE ProfileHandle,
_In_opt_ HANDLE Process,
_In_ PVOID ProfileBase,
_In_ SIZE_T ProfileSize,
_In_ ULONG BucketSize,
_In_reads_bytes_(BufferSize) PULONG Buffer,
_In_ ULONG BufferSize,
_In_ KPROFILE_SOURCE ProfileSource,
_In_ USHORT GroupCount,
_In_reads_(GroupCount) PGROUP_AFFINITY GroupAffinity
);
#endif
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
NtStartProfile(
_In_ HANDLE ProfileHandle
);
_IRQL_requires_max_(PASSIVE_LEVEL)
NTSYSAPI
NTSTATUS
NTAPI
ZwStartProfile(
_In_ HANDLE ProfileHandle
);
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
NtStopProfile(
_In_ HANDLE ProfileHandle
);
_IRQL_requires_max_(PASSIVE_LEVEL)
NTSYSAPI
NTSTATUS
NTAPI
ZwStopProfile(
_In_ HANDLE ProfileHandle
);
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
NtQueryIntervalProfile(
_In_ KPROFILE_SOURCE ProfileSource,
_Out_ PULONG Interval
);
_IRQL_requires_max_(PASSIVE_LEVEL)
NTSYSAPI
NTSTATUS
NTAPI
ZwQueryIntervalProfile(
_In_ KPROFILE_SOURCE ProfileSource,
_Out_ PULONG Interval
);
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
NtSetIntervalProfile(
_In_ ULONG Interval,
_In_ KPROFILE_SOURCE Source
);
_IRQL_requires_max_(PASSIVE_LEVEL)
NTSYSAPI
NTSTATUS
NTAPI
ZwSetIntervalProfile(
_In_ ULONG Interval,
_In_ KPROFILE_SOURCE Source
);
//
// Keyed Event
//
#define KEYEDEVENT_WAIT 0x0001
#define KEYEDEVENT_WAKE 0x0002
#define KEYEDEVENT_ALL_ACCESS \
(STANDARD_RIGHTS_REQUIRED | KEYEDEVENT_WAIT | KEYEDEVENT_WAKE)
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
NtCreateKeyedEvent(
_Out_ PHANDLE KeyedEventHandle,
_In_ ACCESS_MASK DesiredAccess,
_In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
_In_ ULONG Flags
);
_IRQL_requires_max_(PASSIVE_LEVEL)
NTSYSAPI
NTSTATUS
NTAPI
ZwCreateKeyedEvent(
_Out_ PHANDLE KeyedEventHandle,
_In_ ACCESS_MASK DesiredAccess,
_In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
_In_ ULONG Flags
);
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
NtOpenKeyedEvent(
_Out_ PHANDLE KeyedEventHandle,
_In_ ACCESS_MASK DesiredAccess,
_In_ POBJECT_ATTRIBUTES ObjectAttributes
);
_IRQL_requires_max_(PASSIVE_LEVEL)
NTSYSAPI
NTSTATUS
NTAPI
ZwOpenKeyedEvent(
_Out_ PHANDLE KeyedEventHandle,
_In_ ACCESS_MASK DesiredAccess,
_In_ POBJECT_ATTRIBUTES ObjectAttributes
);
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
NtReleaseKeyedEvent(
_In_ HANDLE KeyedEventHandle,
_In_ PVOID KeyValue,
_In_ BOOLEAN Alertable,
_In_opt_ PLARGE_INTEGER Timeout
);
_IRQL_requires_max_(PASSIVE_LEVEL)
NTSYSAPI
NTSTATUS
NTAPI
ZwReleaseKeyedEvent(
_In_ HANDLE KeyedEventHandle,
_In_ PVOID KeyValue,
_In_ BOOLEAN Alertable,
_In_opt_ PLARGE_INTEGER Timeout
);
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
NtWaitForKeyedEvent(
_In_ HANDLE KeyedEventHandle,
_In_ PVOID KeyValue,
_In_ BOOLEAN Alertable,
_In_opt_ PLARGE_INTEGER Timeout
);
_IRQL_requires_max_(PASSIVE_LEVEL)
NTSYSAPI
NTSTATUS
NTAPI
ZwWaitForKeyedEvent(
_In_ HANDLE KeyedEventHandle,
_In_ PVOID KeyValue,
_In_ BOOLEAN Alertable,
_In_opt_ PLARGE_INTEGER Timeout
);
//
// UMS
//
#if (NTDDI_VERSION >= NTDDI_WIN7)
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
NtUmsThreadYield(
_In_ PVOID SchedulerParam
);
_IRQL_requires_max_(PASSIVE_LEVEL)
NTSYSAPI
NTSTATUS
NTAPI
ZwUmsThreadYield(
_In_ PVOID SchedulerParam
);
#endif
//
// WNF
//
// begin_private
#ifndef _DEFINED__WNF_STATE_NAME
#define _DEFINED__WNF_STATE_NAME
typedef struct _WNF_STATE_NAME
{
ULONG Data[2];
} WNF_STATE_NAME, * PWNF_STATE_NAME;
typedef const WNF_STATE_NAME* PCWNF_STATE_NAME;
#endif
typedef enum _WNF_STATE_NAME_LIFETIME
{
WnfWellKnownStateName,
WnfPermanentStateName,
WnfPersistentStateName,
WnfTemporaryStateName
} WNF_STATE_NAME_LIFETIME;
typedef enum _WNF_STATE_NAME_INFORMATION
{
WnfInfoStateNameExist,
WnfInfoSubscribersPresent,
WnfInfoIsQuiescent
} WNF_STATE_NAME_INFORMATION;
typedef enum _WNF_DATA_SCOPE
{
WnfDataScopeSystem,
WnfDataScopeSession,
WnfDataScopeUser,
WnfDataScopeProcess,
WnfDataScopeMachine, // REDSTONE3
WnfDataScopePhysicalMachine, // WIN11
} WNF_DATA_SCOPE;
typedef struct _WNF_TYPE_ID
{
GUID TypeId;
} WNF_TYPE_ID, * PWNF_TYPE_ID;
typedef const WNF_TYPE_ID* PCWNF_TYPE_ID;
// rev
typedef ULONG WNF_CHANGE_STAMP, * PWNF_CHANGE_STAMP;
typedef struct _WNF_DELIVERY_DESCRIPTOR
{
ULONGLONG SubscriptionId;
WNF_STATE_NAME StateName;
WNF_CHANGE_STAMP ChangeStamp;
ULONG StateDataSize;
ULONG EventMask;
WNF_TYPE_ID TypeId;
ULONG StateDataOffset;
} WNF_DELIVERY_DESCRIPTOR, * PWNF_DELIVERY_DESCRIPTOR;
// end_private
#if (NTDDI_VERSION >= NTDDI_WIN8)
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
NtCreateWnfStateName(
_Out_ PWNF_STATE_NAME StateName,
_In_ WNF_STATE_NAME_LIFETIME NameLifetime,
_In_ WNF_DATA_SCOPE DataScope,
_In_ BOOLEAN PersistData,
_In_opt_ PCWNF_TYPE_ID TypeId,
_In_ ULONG MaximumStateSize,
_In_ PSECURITY_DESCRIPTOR SecurityDescriptor
);
_IRQL_requires_max_(PASSIVE_LEVEL)
NTSYSAPI
NTSTATUS
NTAPI
ZwCreateWnfStateName(
_Out_ PWNF_STATE_NAME StateName,
_In_ WNF_STATE_NAME_LIFETIME NameLifetime,
_In_ WNF_DATA_SCOPE DataScope,
_In_ BOOLEAN PersistData,
_In_opt_ PCWNF_TYPE_ID TypeId,
_In_ ULONG MaximumStateSize,
_In_ PSECURITY_DESCRIPTOR SecurityDescriptor
);
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
NtDeleteWnfStateName(
_In_ PCWNF_STATE_NAME StateName
);
_IRQL_requires_max_(PASSIVE_LEVEL)
NTSYSAPI
NTSTATUS
NTAPI
ZwDeleteWnfStateName(
_In_ PCWNF_STATE_NAME StateName
);
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
NtUpdateWnfStateData(
_In_ PCWNF_STATE_NAME StateName,
_In_reads_bytes_opt_(Length) const VOID* Buffer,
_In_opt_ ULONG Length,
_In_opt_ PCWNF_TYPE_ID TypeId,
_In_opt_ const VOID* ExplicitScope,
_In_ WNF_CHANGE_STAMP MatchingChangeStamp,
_In_ LOGICAL CheckStamp
);
_IRQL_requires_max_(PASSIVE_LEVEL)
NTSYSAPI
NTSTATUS
NTAPI
ZwUpdateWnfStateData(
_In_ PCWNF_STATE_NAME StateName,
_In_reads_bytes_opt_(Length) const VOID* Buffer,
_In_opt_ ULONG Length,
_In_opt_ PCWNF_TYPE_ID TypeId,
_In_opt_ const VOID* ExplicitScope,
_In_ WNF_CHANGE_STAMP MatchingChangeStamp,
_In_ LOGICAL CheckStamp
);
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
NtDeleteWnfStateData(
_In_ PCWNF_STATE_NAME StateName,
_In_opt_ const VOID* ExplicitScope
);
_IRQL_requires_max_(PASSIVE_LEVEL)
NTSYSAPI
NTSTATUS
NTAPI
ZwDeleteWnfStateData(
_In_ PCWNF_STATE_NAME StateName,
_In_opt_ const VOID* ExplicitScope
);
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
NtQueryWnfStateData(
_In_ PCWNF_STATE_NAME StateName,
_In_opt_ PCWNF_TYPE_ID TypeId,
_In_opt_ const VOID* ExplicitScope,
_Out_ PWNF_CHANGE_STAMP ChangeStamp,
_Out_writes_bytes_to_opt_(*BufferSize, *BufferSize) PVOID Buffer,
_Inout_ PULONG BufferSize
);
_IRQL_requires_max_(PASSIVE_LEVEL)
NTSYSAPI
NTSTATUS
NTAPI
ZwQueryWnfStateData(
_In_ PCWNF_STATE_NAME StateName,
_In_opt_ PCWNF_TYPE_ID TypeId,
_In_opt_ const VOID* ExplicitScope,
_Out_ PWNF_CHANGE_STAMP ChangeStamp,
_Out_writes_bytes_to_opt_(*BufferSize, *BufferSize) PVOID Buffer,
_Inout_ PULONG BufferSize
);
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
NtQueryWnfStateNameInformation(
_In_ PCWNF_STATE_NAME StateName,
_In_ WNF_STATE_NAME_INFORMATION NameInfoClass,
_In_opt_ const VOID* ExplicitScope,
_Out_writes_bytes_(InfoBufferSize) PVOID InfoBuffer,
_In_ ULONG InfoBufferSize
);
_IRQL_requires_max_(PASSIVE_LEVEL)
NTSYSAPI
NTSTATUS
NTAPI
ZwQueryWnfStateNameInformation(
_In_ PCWNF_STATE_NAME StateName,
_In_ WNF_STATE_NAME_INFORMATION NameInfoClass,
_In_opt_ const VOID* ExplicitScope,
_Out_writes_bytes_(InfoBufferSize) PVOID InfoBuffer,
_In_ ULONG InfoBufferSize
);
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
NtSubscribeWnfStateChange(
_In_ PCWNF_STATE_NAME StateName,
_In_opt_ WNF_CHANGE_STAMP ChangeStamp,
_In_ ULONG EventMask,
_Out_opt_ PULONG64 SubscriptionId
);
_IRQL_requires_max_(PASSIVE_LEVEL)
NTSYSAPI
NTSTATUS
NTAPI
ZwSubscribeWnfStateChange(
_In_ PCWNF_STATE_NAME StateName,
_In_opt_ WNF_CHANGE_STAMP ChangeStamp,
_In_ ULONG EventMask,
_Out_opt_ PULONG64 SubscriptionId
);
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
NtUnsubscribeWnfStateChange(
_In_ PCWNF_STATE_NAME StateName
);
_IRQL_requires_max_(PASSIVE_LEVEL)
NTSYSAPI
NTSTATUS
NTAPI
ZwUnsubscribeWnfStateChange(
_In_ PCWNF_STATE_NAME StateName
);
#endif
#if (NTDDI_VERSION >= NTDDI_WINBLUE)
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
NtGetCompleteWnfStateSubscription(
_In_opt_ PWNF_STATE_NAME OldDescriptorStateName,
_In_opt_ ULONG64* OldSubscriptionId,
_In_opt_ ULONG OldDescriptorEventMask,
_In_opt_ ULONG OldDescriptorStatus,
_Out_writes_bytes_(DescriptorSize) PWNF_DELIVERY_DESCRIPTOR NewDeliveryDescriptor,
_In_ ULONG DescriptorSize
);
_IRQL_requires_max_(PASSIVE_LEVEL)
NTSYSAPI
NTSTATUS
NTAPI
ZwGetCompleteWnfStateSubscription(
_In_opt_ PWNF_STATE_NAME OldDescriptorStateName,
_In_opt_ ULONG64* OldSubscriptionId,
_In_opt_ ULONG OldDescriptorEventMask,
_In_opt_ ULONG OldDescriptorStatus,
_Out_writes_bytes_(DescriptorSize) PWNF_DELIVERY_DESCRIPTOR NewDeliveryDescriptor,
_In_ ULONG DescriptorSize
);
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
NtSetWnfProcessNotificationEvent(
_In_ HANDLE NotificationEvent
);
_IRQL_requires_max_(PASSIVE_LEVEL)
NTSYSAPI
NTSTATUS
NTAPI
ZwSetWnfProcessNotificationEvent(
_In_ HANDLE NotificationEvent
);
#endif // NTDDI_VERSION >= NTDDI_WINBLUE
//
// Worker factory
//
// begin_rev
#define WORKER_FACTORY_RELEASE_WORKER 0x0001
#define WORKER_FACTORY_WAIT 0x0002
#define WORKER_FACTORY_SET_INFORMATION 0x0004
#define WORKER_FACTORY_QUERY_INFORMATION 0x0008
#define WORKER_FACTORY_READY_WORKER 0x0010
#define WORKER_FACTORY_SHUTDOWN 0x0020
#define WORKER_FACTORY_ALL_ACCESS ( \
STANDARD_RIGHTS_REQUIRED | \
WORKER_FACTORY_RELEASE_WORKER | \
WORKER_FACTORY_WAIT | \
WORKER_FACTORY_SET_INFORMATION | \
WORKER_FACTORY_QUERY_INFORMATION | \
WORKER_FACTORY_READY_WORKER | \
WORKER_FACTORY_SHUTDOWN \
)
// end_rev
// begin_private
typedef enum _WORKERFACTORYINFOCLASS
{
WorkerFactoryTimeout, // q; s: LARGE_INTEGER
WorkerFactoryRetryTimeout, // q; s: LARGE_INTEGER
WorkerFactoryIdleTimeout, // q; s: LARGE_INTEGER
WorkerFactoryBindingCount,
WorkerFactoryThreadMinimum, // q; s: ULONG
WorkerFactoryThreadMaximum, // q; s: ULONG
WorkerFactoryPaused, // ULONG or BOOLEAN
WorkerFactoryBasicInformation, // WORKER_FACTORY_BASIC_INFORMATION
WorkerFactoryAdjustThreadGoal,
WorkerFactoryCallbackType,
WorkerFactoryStackInformation, // 10
WorkerFactoryThreadBasePriority,
WorkerFactoryTimeoutWaiters, // since THRESHOLD
WorkerFactoryFlags,
WorkerFactoryThreadSoftMaximum,
WorkerFactoryThreadCpuSets, // since REDSTONE5
MaxWorkerFactoryInfoClass
} WORKERFACTORYINFOCLASS, * PWORKERFACTORYINFOCLASS;
typedef struct _WORKER_FACTORY_BASIC_INFORMATION
{
LARGE_INTEGER Timeout;
LARGE_INTEGER RetryTimeout;
LARGE_INTEGER IdleTimeout;
BOOLEAN Paused;
BOOLEAN TimerSet;
BOOLEAN QueuedToExWorker;
BOOLEAN MayCreate;
BOOLEAN CreateInProgress;
BOOLEAN InsertedIntoQueue;
BOOLEAN Shutdown;
ULONG BindingCount;
ULONG ThreadMinimum;
ULONG ThreadMaximum;
ULONG PendingWorkerCount;
ULONG WaitingWorkerCount;
ULONG TotalWorkerCount;
ULONG ReleaseCount;
LONGLONG InfiniteWaitGoal;
PVOID StartRoutine;
PVOID StartParameter;
HANDLE ProcessId;
SIZE_T StackReserve;
SIZE_T StackCommit;
NTSTATUS LastThreadCreationStatus;
} WORKER_FACTORY_BASIC_INFORMATION, * PWORKER_FACTORY_BASIC_INFORMATION;
// end_private
#if (NTDDI_VERSION >= NTDDI_VISTA)
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
NtCreateWorkerFactory(
_Out_ PHANDLE WorkerFactoryHandleReturn,
_In_ ACCESS_MASK DesiredAccess,
_In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
_In_ HANDLE CompletionPortHandle,
_In_ HANDLE WorkerProcessHandle,
_In_ PVOID StartRoutine,
_In_opt_ PVOID StartParameter,
_In_opt_ ULONG MaxThreadCount,
_In_opt_ SIZE_T StackReserve,
_In_opt_ SIZE_T StackCommit
);
_IRQL_requires_max_(PASSIVE_LEVEL)
NTSYSAPI
NTSTATUS
NTAPI
ZwCreateWorkerFactory(
_Out_ PHANDLE WorkerFactoryHandleReturn,
_In_ ACCESS_MASK DesiredAccess,
_In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
_In_ HANDLE CompletionPortHandle,
_In_ HANDLE WorkerProcessHandle,
_In_ PVOID StartRoutine,
_In_opt_ PVOID StartParameter,
_In_opt_ ULONG MaxThreadCount,
_In_opt_ SIZE_T StackReserve,
_In_opt_ SIZE_T StackCommit
);
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
NtQueryInformationWorkerFactory(
_In_ HANDLE WorkerFactoryHandle,
_In_ WORKERFACTORYINFOCLASS WorkerFactoryInformationClass,
_Out_writes_bytes_(WorkerFactoryInformationLength) PVOID WorkerFactoryInformation,
_In_ ULONG WorkerFactoryInformationLength,
_Out_opt_ PULONG ReturnLength
);
_IRQL_requires_max_(PASSIVE_LEVEL)
NTSYSAPI
NTSTATUS
NTAPI
ZwQueryInformationWorkerFactory(
_In_ HANDLE WorkerFactoryHandle,
_In_ WORKERFACTORYINFOCLASS WorkerFactoryInformationClass,
_Out_writes_bytes_(WorkerFactoryInformationLength) PVOID WorkerFactoryInformation,
_In_ ULONG WorkerFactoryInformationLength,
_Out_opt_ PULONG ReturnLength
);
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
NtSetInformationWorkerFactory(
_In_ HANDLE WorkerFactoryHandle,
_In_ WORKERFACTORYINFOCLASS WorkerFactoryInformationClass,
_In_reads_bytes_(WorkerFactoryInformationLength) PVOID WorkerFactoryInformation,
_In_ ULONG WorkerFactoryInformationLength
);
_IRQL_requires_max_(PASSIVE_LEVEL)
NTSYSAPI
NTSTATUS
NTAPI
ZwSetInformationWorkerFactory(
_In_ HANDLE WorkerFactoryHandle,
_In_ WORKERFACTORYINFOCLASS WorkerFactoryInformationClass,
_In_reads_bytes_(WorkerFactoryInformationLength) PVOID WorkerFactoryInformation,
_In_ ULONG WorkerFactoryInformationLength
);
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
NtShutdownWorkerFactory(
_In_ HANDLE WorkerFactoryHandle,
_Inout_ volatile LONG* PendingWorkerCount
);
_IRQL_requires_max_(PASSIVE_LEVEL)
NTSYSAPI
NTSTATUS
NTAPI
ZwShutdownWorkerFactory(
_In_ HANDLE WorkerFactoryHandle,
_Inout_ volatile LONG* PendingWorkerCount
);
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
NtReleaseWorkerFactoryWorker(
_In_ HANDLE WorkerFactoryHandle
);
_IRQL_requires_max_(PASSIVE_LEVEL)
NTSYSAPI
NTSTATUS
NTAPI
ZwReleaseWorkerFactoryWorker(
_In_ HANDLE WorkerFactoryHandle
);
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
NtWorkerFactoryWorkerReady(
_In_ HANDLE WorkerFactoryHandle
);
_IRQL_requires_max_(PASSIVE_LEVEL)
NTSYSAPI
NTSTATUS
NTAPI
ZwWorkerFactoryWorkerReady(
_In_ HANDLE WorkerFactoryHandle
);
struct _FILE_IO_COMPLETION_INFORMATION;
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
NtWaitForWorkViaWorkerFactory(
_In_ HANDLE WorkerFactoryHandle,
_Out_ struct _FILE_IO_COMPLETION_INFORMATION* MiniPacket
);
_IRQL_requires_max_(PASSIVE_LEVEL)
NTSYSAPI
NTSTATUS
NTAPI
ZwWaitForWorkViaWorkerFactory(
_In_ HANDLE WorkerFactoryHandle,
_Out_ struct _FILE_IO_COMPLETION_INFORMATION* MiniPacket
);
#endif
//
// Time
//
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
NtQuerySystemTime(
_Out_ PLARGE_INTEGER SystemTime
);
_IRQL_requires_max_(PASSIVE_LEVEL)
NTSYSAPI
NTSTATUS
NTAPI
ZwQuerySystemTime(
_Out_ PLARGE_INTEGER SystemTime
);
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
NtSetSystemTime(
_In_opt_ PLARGE_INTEGER SystemTime,
_Out_opt_ PLARGE_INTEGER PreviousTime
);
_IRQL_requires_max_(PASSIVE_LEVEL)
NTSYSAPI
NTSTATUS
NTAPI
ZwSetSystemTime(
_In_opt_ PLARGE_INTEGER SystemTime,
_Out_opt_ PLARGE_INTEGER PreviousTime
);
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
NtQueryTimerResolution(
_Out_ PULONG MaximumTime,
_Out_ PULONG MinimumTime,
_Out_ PULONG CurrentTime
);
_IRQL_requires_max_(PASSIVE_LEVEL)
NTSYSAPI
NTSTATUS
NTAPI
ZwQueryTimerResolution(
_Out_ PULONG MaximumTime,
_Out_ PULONG MinimumTime,
_Out_ PULONG CurrentTime
);
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
NtSetTimerResolution(
_In_ ULONG DesiredTime,
_In_ BOOLEAN SetResolution,
_Out_ PULONG ActualTime
);
_IRQL_requires_max_(PASSIVE_LEVEL)
NTSYSAPI
NTSTATUS
NTAPI
ZwSetTimerResolution(
_In_ ULONG DesiredTime,
_In_ BOOLEAN SetResolution,
_Out_ PULONG ActualTime
);
//
// Performance Counter
//
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
NtQueryPerformanceCounter(
_Out_ PLARGE_INTEGER PerformanceCounter,
_Out_opt_ PLARGE_INTEGER PerformanceFrequency
);
_IRQL_requires_max_(PASSIVE_LEVEL)
NTSYSAPI
NTSTATUS
NTAPI
ZwQueryPerformanceCounter(
_Out_ PLARGE_INTEGER PerformanceCounter,
_Out_opt_ PLARGE_INTEGER PerformanceFrequency
);
//
// LUIDs
//
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
NtAllocateLocallyUniqueId(
_Out_ PLUID Luid
);
_IRQL_requires_max_(PASSIVE_LEVEL)
NTSYSAPI
NTSTATUS
NTAPI
ZwAllocateLocallyUniqueId(
_Out_ PLUID Luid
);
//
// UUIDs
//
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
NtSetUuidSeed(
_In_ PCHAR Seed
);
_IRQL_requires_max_(PASSIVE_LEVEL)
NTSYSAPI
NTSTATUS
NTAPI
ZwSetUuidSeed(
_In_ PCHAR Seed
);
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
NtAllocateUuids(
_Out_ PULARGE_INTEGER Time,
_Out_ PULONG Range,
_Out_ PULONG Sequence,
_Out_ PCHAR Seed
);
_IRQL_requires_max_(PASSIVE_LEVEL)
NTSYSAPI
NTSTATUS
NTAPI
ZwAllocateUuids(
_Out_ PULARGE_INTEGER Time,
_Out_ PULONG Range,
_Out_ PULONG Sequence,
_Out_ PCHAR Seed
);
//
// System Information
//
// rev
// private
typedef enum _SYSTEM_INFORMATION_CLASS
{
SystemBasicInformation, // q: SYSTEM_BASIC_INFORMATION
SystemProcessorInformation, // q: SYSTEM_PROCESSOR_INFORMATION
SystemPerformanceInformation, // q: SYSTEM_PERFORMANCE_INFORMATION
SystemTimeOfDayInformation, // q: SYSTEM_TIMEOFDAY_INFORMATION
SystemPathInformation, // not implemented
SystemProcessInformation, // q: SYSTEM_PROCESS_INFORMATION
SystemCallCountInformation, // q: SYSTEM_CALL_COUNT_INFORMATION
SystemDeviceInformation, // q: SYSTEM_DEVICE_INFORMATION
SystemProcessorPerformanceInformation, // q: SYSTEM_PROCESSOR_PERFORMANCE_INFORMATION (EX in: USHORT ProcessorGroup)
SystemFlagsInformation, // q: SYSTEM_FLAGS_INFORMATION
SystemCallTimeInformation, // not implemented // SYSTEM_CALL_TIME_INFORMATION // 10
SystemModuleInformation, // q: RTL_PROCESS_MODULES
SystemLocksInformation, // q: RTL_PROCESS_LOCKS
SystemStackTraceInformation, // q: RTL_PROCESS_BACKTRACES
SystemPagedPoolInformation, // not implemented
SystemNonPagedPoolInformation, // not implemented
SystemHandleInformation, // q: SYSTEM_HANDLE_INFORMATION
SystemObjectInformation, // q: SYSTEM_OBJECTTYPE_INFORMATION mixed with SYSTEM_OBJECT_INFORMATION
SystemPageFileInformation, // q: SYSTEM_PAGEFILE_INFORMATION
SystemVdmInstemulInformation, // q: SYSTEM_VDM_INSTEMUL_INFO
SystemVdmBopInformation, // not implemented // 20
SystemFileCacheInformation, // q: SYSTEM_FILECACHE_INFORMATION; s (requires SeIncreaseQuotaPrivilege) (info for WorkingSetTypeSystemCache)
SystemPoolTagInformation, // q: SYSTEM_POOLTAG_INFORMATION
SystemInterruptInformation, // q: SYSTEM_INTERRUPT_INFORMATION
SystemDpcBehaviorInformation, // q: SYSTEM_DPC_BEHAVIOR_INFORMATION; s: SYSTEM_DPC_BEHAVIOR_INFORMATION (requires SeLoadDriverPrivilege)
SystemFullMemoryInformation, // not implemented // SYSTEM_MEMORY_USAGE_INFORMATION
SystemLoadGdiDriverInformation, // s (kernel-mode only)
SystemUnloadGdiDriverInformation, // s (kernel-mode only)
SystemTimeAdjustmentInformation, // q: SYSTEM_QUERY_TIME_ADJUST_INFORMATION; s: SYSTEM_SET_TIME_ADJUST_INFORMATION (requires SeSystemtimePrivilege)
SystemSummaryMemoryInformation, // not implemented // SYSTEM_MEMORY_USAGE_INFORMATION
SystemMirrorMemoryInformation, // s (requires license value "Kernel-MemoryMirroringSupported") (requires SeShutdownPrivilege) // 30
SystemPerformanceTraceInformation, // q; s: (type depends on EVENT_TRACE_INFORMATION_CLASS)
SystemObsolete0, // not implemented
SystemExceptionInformation, // q: SYSTEM_EXCEPTION_INFORMATION
SystemCrashDumpStateInformation, // s: SYSTEM_CRASH_DUMP_STATE_INFORMATION (requires SeDebugPrivilege)
SystemKernelDebuggerInformation, // q: SYSTEM_KERNEL_DEBUGGER_INFORMATION
SystemContextSwitchInformation, // q: SYSTEM_CONTEXT_SWITCH_INFORMATION
SystemRegistryQuotaInformation, // q: SYSTEM_REGISTRY_QUOTA_INFORMATION; s (requires SeIncreaseQuotaPrivilege)
SystemExtendServiceTableInformation, // s (requires SeLoadDriverPrivilege) // loads win32k only
SystemPrioritySeperation, // s (requires SeTcbPrivilege)
SystemVerifierAddDriverInformation, // s (requires SeDebugPrivilege) // 40
SystemVerifierRemoveDriverInformation, // s (requires SeDebugPrivilege)
SystemProcessorIdleInformation, // q: SYSTEM_PROCESSOR_IDLE_INFORMATION
SystemLegacyDriverInformation, // q: SYSTEM_LEGACY_DRIVER_INFORMATION
SystemCurrentTimeZoneInformation, // q; s: RTL_TIME_ZONE_INFORMATION
SystemLookasideInformation, // q: SYSTEM_LOOKASIDE_INFORMATION
SystemTimeSlipNotification, // s: HANDLE (NtCreateEvent) (requires SeSystemtimePrivilege)
SystemSessionCreate, // not implemented
SystemSessionDetach, // not implemented
SystemSessionInformation, // not implemented (SYSTEM_SESSION_INFORMATION)
SystemRangeStartInformation, // q: SYSTEM_RANGE_START_INFORMATION // 50
SystemVerifierInformation, // q: SYSTEM_VERIFIER_INFORMATION; s (requires SeDebugPrivilege)
SystemVerifierThunkExtend, // s (kernel-mode only)
SystemSessionProcessInformation, // q: SYSTEM_SESSION_PROCESS_INFORMATION
SystemLoadGdiDriverInSystemSpace, // s (kernel-mode only) (same as SystemLoadGdiDriverInformation)
SystemNumaProcessorMap, // q
SystemPrefetcherInformation, // q: PREFETCHER_INFORMATION; s: PREFETCHER_INFORMATION // PfSnQueryPrefetcherInformation
SystemExtendedProcessInformation, // q: SYSTEM_PROCESS_INFORMATION
SystemRecommendedSharedDataAlignment, // q
SystemComPlusPackage, // q; s
SystemNumaAvailableMemory, // 60
SystemProcessorPowerInformation, // q: SYSTEM_PROCESSOR_POWER_INFORMATION
SystemEmulationBasicInformation,
SystemEmulationProcessorInformation,
SystemExtendedHandleInformation, // q: SYSTEM_HANDLE_INFORMATION_EX
SystemLostDelayedWriteInformation, // q: ULONG
SystemBigPoolInformation, // q: SYSTEM_BIGPOOL_INFORMATION
SystemSessionPoolTagInformation, // q: SYSTEM_SESSION_POOLTAG_INFORMATION
SystemSessionMappedViewInformation, // q: SYSTEM_SESSION_MAPPED_VIEW_INFORMATION
SystemHotpatchInformation, // q; s: SYSTEM_HOTPATCH_CODE_INFORMATION
SystemObjectSecurityMode, // q: ULONG // 70
SystemWatchdogTimerHandler, // s (kernel-mode only)
SystemWatchdogTimerInformation, // q (kernel-mode only); s (kernel-mode only)
SystemLogicalProcessorInformation, // q: SYSTEM_LOGICAL_PROCESSOR_INFORMATION
SystemWow64SharedInformationObsolete, // not implemented
SystemRegisterFirmwareTableInformationHandler, // s: SYSTEM_FIRMWARE_TABLE_HANDLER // (kernel-mode only)
SystemFirmwareTableInformation, // SYSTEM_FIRMWARE_TABLE_INFORMATION
SystemModuleInformationEx, // q: RTL_PROCESS_MODULE_INFORMATION_EX
SystemVerifierTriageInformation, // not implemented
SystemSuperfetchInformation, // q; s: SUPERFETCH_INFORMATION // PfQuerySuperfetchInformation
SystemMemoryListInformation, // q: SYSTEM_MEMORY_LIST_INFORMATION; s: SYSTEM_MEMORY_LIST_COMMAND (requires SeProfileSingleProcessPrivilege) // 80
SystemFileCacheInformationEx, // q: SYSTEM_FILECACHE_INFORMATION; s (requires SeIncreaseQuotaPrivilege) (same as SystemFileCacheInformation)
SystemThreadPriorityClientIdInformation, // s: SYSTEM_THREAD_CID_PRIORITY_INFORMATION (requires SeIncreaseBasePriorityPrivilege)
SystemProcessorIdleCycleTimeInformation, // q: SYSTEM_PROCESSOR_IDLE_CYCLE_TIME_INFORMATION[]
SystemVerifierCancellationInformation, // SYSTEM_VERIFIER_CANCELLATION_INFORMATION // name:wow64:whNT32QuerySystemVerifierCancellationInformation
SystemProcessorPowerInformationEx, // not implemented
SystemRefTraceInformation, // q; s: SYSTEM_REF_TRACE_INFORMATION // ObQueryRefTraceInformation
SystemSpecialPoolInformation, // q; s: SYSTEM_SPECIAL_POOL_INFORMATION (requires SeDebugPrivilege) // MmSpecialPoolTag, then MmSpecialPoolCatchOverruns != 0
SystemProcessIdInformation, // q: SYSTEM_PROCESS_ID_INFORMATION
SystemErrorPortInformation, // s (requires SeTcbPrivilege)
SystemBootEnvironmentInformation, // q: SYSTEM_BOOT_ENVIRONMENT_INFORMATION // 90
SystemHypervisorInformation, // q; s (kernel-mode only)
SystemVerifierInformationEx, // q; s: SYSTEM_VERIFIER_INFORMATION_EX
SystemTimeZoneInformation, // s (requires SeTimeZonePrivilege)
SystemImageFileExecutionOptionsInformation, // s: SYSTEM_IMAGE_FILE_EXECUTION_OPTIONS_INFORMATION (requires SeTcbPrivilege)
SystemCoverageInformation, // q; s // name:wow64:whNT32QuerySystemCoverageInformation; ExpCovQueryInformation
SystemPrefetchPatchInformation, // SYSTEM_PREFETCH_PATCH_INFORMATION
SystemVerifierFaultsInformation, // s: SYSTEM_VERIFIER_FAULTS_INFORMATION (requires SeDebugPrivilege)
SystemSystemPartitionInformation, // q: SYSTEM_SYSTEM_PARTITION_INFORMATION
SystemSystemDiskInformation, // q: SYSTEM_SYSTEM_DISK_INFORMATION
SystemProcessorPerformanceDistribution, // q: SYSTEM_PROCESSOR_PERFORMANCE_DISTRIBUTION // 100
SystemNumaProximityNodeInformation,
SystemDynamicTimeZoneInformation, // q; s (requires SeTimeZonePrivilege)
SystemCodeIntegrityInformation, // q: SYSTEM_CODEINTEGRITY_INFORMATION // SeCodeIntegrityQueryInformation
SystemProcessorMicrocodeUpdateInformation, // s: SYSTEM_PROCESSOR_MICROCODE_UPDATE_INFORMATION
SystemProcessorBrandString, // q // HaliQuerySystemInformation -> HalpGetProcessorBrandString, info class 23
SystemVirtualAddressInformation, // q: SYSTEM_VA_LIST_INFORMATION[]; s: SYSTEM_VA_LIST_INFORMATION[] (requires SeIncreaseQuotaPrivilege) // MmQuerySystemVaInformation
SystemLogicalProcessorAndGroupInformation, // q: SYSTEM_LOGICAL_PROCESSOR_INFORMATION_EX // since WIN7 // KeQueryLogicalProcessorRelationship
SystemProcessorCycleTimeInformation, // q: SYSTEM_PROCESSOR_CYCLE_TIME_INFORMATION[]
SystemStoreInformation, // q; s: SYSTEM_STORE_INFORMATION // SmQueryStoreInformation
SystemRegistryAppendString, // s: SYSTEM_REGISTRY_APPEND_STRING_PARAMETERS // 110
SystemAitSamplingValue, // s: ULONG (requires SeProfileSingleProcessPrivilege)
SystemVhdBootInformation, // q: SYSTEM_VHD_BOOT_INFORMATION
SystemCpuQuotaInformation, // q; s: PS_CPU_QUOTA_QUERY_INFORMATION
SystemNativeBasicInformation, // q: SYSTEM_BASIC_INFORMATION
SystemErrorPortTimeouts, // SYSTEM_ERROR_PORT_TIMEOUTS
SystemLowPriorityIoInformation, // q: SYSTEM_LOW_PRIORITY_IO_INFORMATION
SystemTpmBootEntropyInformation, // q: TPM_BOOT_ENTROPY_NT_RESULT // ExQueryTpmBootEntropyInformation
SystemVerifierCountersInformation, // q: SYSTEM_VERIFIER_COUNTERS_INFORMATION
SystemPagedPoolInformationEx, // q: SYSTEM_FILECACHE_INFORMATION; s (requires SeIncreaseQuotaPrivilege) (info for WorkingSetTypePagedPool)
SystemSystemPtesInformationEx, // q: SYSTEM_FILECACHE_INFORMATION; s (requires SeIncreaseQuotaPrivilege) (info for WorkingSetTypeSystemPtes) // 120
SystemNodeDistanceInformation,
SystemAcpiAuditInformation, // q: SYSTEM_ACPI_AUDIT_INFORMATION // HaliQuerySystemInformation -> HalpAuditQueryResults, info class 26
SystemBasicPerformanceInformation, // q: SYSTEM_BASIC_PERFORMANCE_INFORMATION // name:wow64:whNtQuerySystemInformation_SystemBasicPerformanceInformation
SystemQueryPerformanceCounterInformation, // q: SYSTEM_QUERY_PERFORMANCE_COUNTER_INFORMATION // since WIN7 SP1
SystemSessionBigPoolInformation, // q: SYSTEM_SESSION_POOLTAG_INFORMATION // since WIN8
SystemBootGraphicsInformation, // q; s: SYSTEM_BOOT_GRAPHICS_INFORMATION (kernel-mode only)
SystemScrubPhysicalMemoryInformation, // q; s: MEMORY_SCRUB_INFORMATION
SystemBadPageInformation,
SystemProcessorProfileControlArea, // q; s: SYSTEM_PROCESSOR_PROFILE_CONTROL_AREA
SystemCombinePhysicalMemoryInformation, // s: MEMORY_COMBINE_INFORMATION, MEMORY_COMBINE_INFORMATION_EX, MEMORY_COMBINE_INFORMATION_EX2 // 130
SystemEntropyInterruptTimingInformation,
SystemConsoleInformation, // q: SYSTEM_CONSOLE_INFORMATION
SystemPlatformBinaryInformation, // q: SYSTEM_PLATFORM_BINARY_INFORMATION
SystemPolicyInformation, // q: SYSTEM_POLICY_INFORMATION
SystemHypervisorProcessorCountInformation, // q: SYSTEM_HYPERVISOR_PROCESSOR_COUNT_INFORMATION
SystemDeviceDataInformation, // q: SYSTEM_DEVICE_DATA_INFORMATION
SystemDeviceDataEnumerationInformation, // q: SYSTEM_DEVICE_DATA_INFORMATION
SystemMemoryTopologyInformation, // q: SYSTEM_MEMORY_TOPOLOGY_INFORMATION
SystemMemoryChannelInformation, // q: SYSTEM_MEMORY_CHANNEL_INFORMATION
SystemBootLogoInformation, // q: SYSTEM_BOOT_LOGO_INFORMATION // 140
SystemProcessorPerformanceInformationEx, // q: SYSTEM_PROCESSOR_PERFORMANCE_INFORMATION_EX // since WINBLUE
SystemCriticalProcessErrorLogInformation,
SystemSecureBootPolicyInformation, // q: SYSTEM_SECUREBOOT_POLICY_INFORMATION
SystemPageFileInformationEx, // q: SYSTEM_PAGEFILE_INFORMATION_EX
SystemSecureBootInformation, // q: SYSTEM_SECUREBOOT_INFORMATION
SystemEntropyInterruptTimingRawInformation,
SystemPortableWorkspaceEfiLauncherInformation, // q: SYSTEM_PORTABLE_WORKSPACE_EFI_LAUNCHER_INFORMATION
SystemFullProcessInformation, // q: SYSTEM_PROCESS_INFORMATION with SYSTEM_PROCESS_INFORMATION_EXTENSION (requires admin)
SystemKernelDebuggerInformationEx, // q: SYSTEM_KERNEL_DEBUGGER_INFORMATION_EX
SystemBootMetadataInformation, // 150
SystemSoftRebootInformation, // q: ULONG
SystemElamCertificateInformation, // s: SYSTEM_ELAM_CERTIFICATE_INFORMATION
SystemOfflineDumpConfigInformation,
SystemProcessorFeaturesInformation, // q: SYSTEM_PROCESSOR_FEATURES_INFORMATION
SystemRegistryReconciliationInformation, // s: NULL (requires admin) (flushes registry hives)
SystemEdidInformation,
SystemManufacturingInformation, // q: SYSTEM_MANUFACTURING_INFORMATION // since THRESHOLD
SystemEnergyEstimationConfigInformation, // q: SYSTEM_ENERGY_ESTIMATION_CONFIG_INFORMATION
SystemHypervisorDetailInformation, // q: SYSTEM_HYPERVISOR_DETAIL_INFORMATION
SystemProcessorCycleStatsInformation, // q: SYSTEM_PROCESSOR_CYCLE_STATS_INFORMATION // 160
SystemVmGenerationCountInformation,
SystemTrustedPlatformModuleInformation, // q: SYSTEM_TPM_INFORMATION
SystemKernelDebuggerFlags, // SYSTEM_KERNEL_DEBUGGER_FLAGS
SystemCodeIntegrityPolicyInformation, // q: SYSTEM_CODEINTEGRITYPOLICY_INFORMATION
SystemIsolatedUserModeInformation, // q: SYSTEM_ISOLATED_USER_MODE_INFORMATION
SystemHardwareSecurityTestInterfaceResultsInformation,
SystemSingleModuleInformation, // q: SYSTEM_SINGLE_MODULE_INFORMATION
SystemAllowedCpuSetsInformation,
SystemVsmProtectionInformation, // q: SYSTEM_VSM_PROTECTION_INFORMATION (previously SystemDmaProtectionInformation)
SystemInterruptCpuSetsInformation, // q: SYSTEM_INTERRUPT_CPU_SET_INFORMATION // 170
SystemSecureBootPolicyFullInformation, // q: SYSTEM_SECUREBOOT_POLICY_FULL_INFORMATION
SystemCodeIntegrityPolicyFullInformation,
SystemAffinitizedInterruptProcessorInformation,
SystemRootSiloInformation, // q: SYSTEM_ROOT_SILO_INFORMATION
SystemCpuSetInformation, // q: SYSTEM_CPU_SET_INFORMATION // since THRESHOLD2
SystemCpuSetTagInformation, // q: SYSTEM_CPU_SET_TAG_INFORMATION
SystemWin32WerStartCallout,
SystemSecureKernelProfileInformation, // q: SYSTEM_SECURE_KERNEL_HYPERGUARD_PROFILE_INFORMATION
SystemCodeIntegrityPlatformManifestInformation, // q: SYSTEM_SECUREBOOT_PLATFORM_MANIFEST_INFORMATION // since REDSTONE
SystemInterruptSteeringInformation, // SYSTEM_INTERRUPT_STEERING_INFORMATION_INPUT // 180
SystemSupportedProcessorArchitectures, // in: HANDLE, out: ULONG[3] // NtQuerySystemInformationEx
SystemMemoryUsageInformation, // q: SYSTEM_MEMORY_USAGE_INFORMATION
SystemCodeIntegrityCertificateInformation, // q: SYSTEM_CODEINTEGRITY_CERTIFICATE_INFORMATION
SystemPhysicalMemoryInformation, // q: SYSTEM_PHYSICAL_MEMORY_INFORMATION // since REDSTONE2
SystemControlFlowTransition,
SystemKernelDebuggingAllowed, // s: ULONG
SystemActivityModerationExeState, // SYSTEM_ACTIVITY_MODERATION_EXE_STATE
SystemActivityModerationUserSettings, // SYSTEM_ACTIVITY_MODERATION_USER_SETTINGS
SystemCodeIntegrityPoliciesFullInformation,
SystemCodeIntegrityUnlockInformation, // SYSTEM_CODEINTEGRITY_UNLOCK_INFORMATION // 190
SystemIntegrityQuotaInformation,
SystemFlushInformation, // q: SYSTEM_FLUSH_INFORMATION
SystemProcessorIdleMaskInformation, // q: ULONG_PTR // since REDSTONE3
SystemSecureDumpEncryptionInformation,
SystemWriteConstraintInformation, // SYSTEM_WRITE_CONSTRAINT_INFORMATION
SystemKernelVaShadowInformation, // SYSTEM_KERNEL_VA_SHADOW_INFORMATION
SystemHypervisorSharedPageInformation, // SYSTEM_HYPERVISOR_SHARED_PAGE_INFORMATION // since REDSTONE4
SystemFirmwareBootPerformanceInformation,
SystemCodeIntegrityVerificationInformation, // SYSTEM_CODEINTEGRITYVERIFICATION_INFORMATION
SystemFirmwarePartitionInformation, // SYSTEM_FIRMWARE_PARTITION_INFORMATION // 200
SystemSpeculationControlInformation, // SYSTEM_SPECULATION_CONTROL_INFORMATION // (CVE-2017-5715) REDSTONE3 and above.
SystemDmaGuardPolicyInformation, // SYSTEM_DMA_GUARD_POLICY_INFORMATION
SystemEnclaveLaunchControlInformation, // SYSTEM_ENCLAVE_LAUNCH_CONTROL_INFORMATION
SystemWorkloadAllowedCpuSetsInformation, // SYSTEM_WORKLOAD_ALLOWED_CPU_SET_INFORMATION // since REDSTONE5
SystemCodeIntegrityUnlockModeInformation,
SystemLeapSecondInformation, // SYSTEM_LEAP_SECOND_INFORMATION
SystemFlags2Information, // q: SYSTEM_FLAGS_INFORMATION
SystemSecurityModelInformation, // SYSTEM_SECURITY_MODEL_INFORMATION // since 19H1
SystemCodeIntegritySyntheticCacheInformation,
SystemFeatureConfigurationInformation, // SYSTEM_FEATURE_CONFIGURATION_INFORMATION // since 20H1 // 210
SystemFeatureConfigurationSectionInformation, // SYSTEM_FEATURE_CONFIGURATION_SECTIONS_INFORMATION
SystemFeatureUsageSubscriptionInformation,
SystemSecureSpeculationControlInformation, // SECURE_SPECULATION_CONTROL_INFORMATION
SystemSpacesBootInformation, // since 20H2
SystemFwRamdiskInformation, // SYSTEM_FIRMWARE_RAMDISK_INFORMATION
SystemWheaIpmiHardwareInformation,
SystemDifSetRuleClassInformation,
SystemDifClearRuleClassInformation,
SystemDifApplyPluginVerificationOnDriver,
SystemDifRemovePluginVerificationOnDriver, // 220
SystemShadowStackInformation, // SYSTEM_SHADOW_STACK_INFORMATION
SystemBuildVersionInformation, // SYSTEM_BUILD_VERSION_INFORMATION
SystemPoolLimitInformation, // SYSTEM_POOL_LIMIT_INFORMATION
SystemCodeIntegrityAddDynamicStore,
SystemCodeIntegrityClearDynamicStores,
SystemDifPoolTrackingInformation,
SystemPoolZeroingInformation, // SYSTEM_POOL_ZEROING_INFORMATION
SystemDpcWatchdogInformation,
SystemDpcWatchdogInformation2,
SystemSupportedProcessorArchitectures2, // q: in opt: HANDLE, out: SYSTEM_SUPPORTED_PROCESSOR_ARCHITECTURES_INFORMATION[] // NtQuerySystemInformationEx // 230
SystemSingleProcessorRelationshipInformation,
SystemXfgCheckFailureInformation,
SystemIommuStateInformation, // SYSTEM_IOMMU_STATE_INFORMATION // since 11H1
SystemHypervisorMinrootInformation, // SYSTEM_HYPERVISOR_MINROOT_INFORMATION
SystemHypervisorBootPagesInformation, // SYSTEM_HYPERVISOR_BOOT_PAGES_INFORMATION
SystemPointerAuthInformation, // SYSTEM_POINTER_AUTH_INFORMATION
SystemSecureKernelDebuggerInformation,
SystemOriginalImageFeatureInformation,
MaxSystemInfoClass
} SYSTEM_INFORMATION_CLASS;
typedef struct _SYSTEM_BASIC_INFORMATION
{
ULONG Reserved;
ULONG TimerResolution;
ULONG PageSize;
ULONG NumberOfPhysicalPages;
ULONG LowestPhysicalPageNumber;
ULONG HighestPhysicalPageNumber;
ULONG AllocationGranularity;
ULONG_PTR MinimumUserModeAddress;
ULONG_PTR MaximumUserModeAddress;
ULONG_PTR ActiveProcessorsAffinityMask;
CCHAR NumberOfProcessors;
} SYSTEM_BASIC_INFORMATION, * PSYSTEM_BASIC_INFORMATION;
typedef struct _SYSTEM_PROCESSOR_INFORMATION
{
USHORT ProcessorArchitecture;
USHORT ProcessorLevel;
USHORT ProcessorRevision;
USHORT MaximumProcessors;
ULONG ProcessorFeatureBits;
} SYSTEM_PROCESSOR_INFORMATION, * PSYSTEM_PROCESSOR_INFORMATION;
typedef struct _SYSTEM_PERFORMANCE_INFORMATION
{
LARGE_INTEGER IdleProcessTime;
LARGE_INTEGER IoReadTransferCount;
LARGE_INTEGER IoWriteTransferCount;
LARGE_INTEGER IoOtherTransferCount;
ULONG IoReadOperationCount;
ULONG IoWriteOperationCount;
ULONG IoOtherOperationCount;
ULONG AvailablePages;
ULONG CommittedPages;
ULONG CommitLimit;
ULONG PeakCommitment;
ULONG PageFaultCount;
ULONG CopyOnWriteCount;
ULONG TransitionCount;
ULONG CacheTransitionCount;
ULONG DemandZeroCount;
ULONG PageReadCount;
ULONG PageReadIoCount;
ULONG CacheReadCount;
ULONG CacheIoCount;
ULONG DirtyPagesWriteCount;
ULONG DirtyWriteIoCount;
ULONG MappedPagesWriteCount;
ULONG MappedWriteIoCount;
ULONG PagedPoolPages;
ULONG NonPagedPoolPages;
ULONG PagedPoolAllocs;
ULONG PagedPoolFrees;
ULONG NonPagedPoolAllocs;
ULONG NonPagedPoolFrees;
ULONG FreeSystemPtes;
ULONG ResidentSystemCodePage;
ULONG TotalSystemDriverPages;
ULONG TotalSystemCodePages;
ULONG NonPagedPoolLookasideHits;
ULONG PagedPoolLookasideHits;
ULONG AvailablePagedPoolPages;
ULONG ResidentSystemCachePage;
ULONG ResidentPagedPoolPage;
ULONG ResidentSystemDriverPage;
ULONG CcFastReadNoWait;
ULONG CcFastReadWait;
ULONG CcFastReadResourceMiss;
ULONG CcFastReadNotPossible;
ULONG CcFastMdlReadNoWait;
ULONG CcFastMdlReadWait;
ULONG CcFastMdlReadResourceMiss;
ULONG CcFastMdlReadNotPossible;
ULONG CcMapDataNoWait;
ULONG CcMapDataWait;
ULONG CcMapDataNoWaitMiss;
ULONG CcMapDataWaitMiss;
ULONG CcPinMappedDataCount;
ULONG CcPinReadNoWait;
ULONG CcPinReadWait;
ULONG CcPinReadNoWaitMiss;
ULONG CcPinReadWaitMiss;
ULONG CcCopyReadNoWait;
ULONG CcCopyReadWait;
ULONG CcCopyReadNoWaitMiss;
ULONG CcCopyReadWaitMiss;
ULONG CcMdlReadNoWait;
ULONG CcMdlReadWait;
ULONG CcMdlReadNoWaitMiss;
ULONG CcMdlReadWaitMiss;
ULONG CcReadAheadIos;
ULONG CcLazyWriteIos;
ULONG CcLazyWritePages;
ULONG CcDataFlushes;
ULONG CcDataPages;
ULONG ContextSwitches;
ULONG FirstLevelTbFills;
ULONG SecondLevelTbFills;
ULONG SystemCalls;
ULONGLONG CcTotalDirtyPages; // since THRESHOLD
ULONGLONG CcDirtyPageThreshold; // since THRESHOLD
LONGLONG ResidentAvailablePages; // since THRESHOLD
ULONGLONG SharedCommittedPages; // since THRESHOLD
} SYSTEM_PERFORMANCE_INFORMATION, * PSYSTEM_PERFORMANCE_INFORMATION;
typedef struct _SYSTEM_TIMEOFDAY_INFORMATION
{
LARGE_INTEGER BootTime;
LARGE_INTEGER CurrentTime;
LARGE_INTEGER TimeZoneBias;
ULONG TimeZoneId;
ULONG Reserved;
ULONGLONG BootTimeBias;
ULONGLONG SleepTimeBias;
} SYSTEM_TIMEOFDAY_INFORMATION, * PSYSTEM_TIMEOFDAY_INFORMATION;
typedef struct _SYSTEM_THREAD_INFORMATION
{
LARGE_INTEGER KernelTime;
LARGE_INTEGER UserTime;
LARGE_INTEGER CreateTime;
ULONG WaitTime;
PVOID StartAddress;
CLIENT_ID ClientId;
KPRIORITY Priority;
LONG BasePriority;
ULONG ContextSwitches;
KTHREAD_STATE ThreadState;
KWAIT_REASON WaitReason;
} SYSTEM_THREAD_INFORMATION, * PSYSTEM_THREAD_INFORMATION;
typedef struct _TEB TEB, * PTEB;
// private
typedef struct _SYSTEM_EXTENDED_THREAD_INFORMATION
{
SYSTEM_THREAD_INFORMATION ThreadInfo;
PVOID StackBase;
PVOID StackLimit;
PVOID Win32StartAddress;
PTEB TebBase; // since VISTA
ULONG_PTR Reserved2;
ULONG_PTR Reserved3;
ULONG_PTR Reserved4;
} SYSTEM_EXTENDED_THREAD_INFORMATION, * PSYSTEM_EXTENDED_THREAD_INFORMATION;
typedef struct _SYSTEM_PROCESS_INFORMATION
{
ULONG NextEntryOffset;
ULONG NumberOfThreads;
LARGE_INTEGER WorkingSetPrivateSize; // since VISTA
ULONG HardFaultCount; // since WIN7
ULONG NumberOfThreadsHighWatermark; // since WIN7
ULONGLONG CycleTime; // since WIN7
LARGE_INTEGER CreateTime;
LARGE_INTEGER UserTime;
LARGE_INTEGER KernelTime;
UNICODE_STRING ImageName;
KPRIORITY BasePriority;
HANDLE UniqueProcessId;
HANDLE InheritedFromUniqueProcessId;
ULONG HandleCount;
ULONG SessionId;
ULONG_PTR UniqueProcessKey; // since VISTA (requires SystemExtendedProcessInformation)
SIZE_T PeakVirtualSize;
SIZE_T VirtualSize;
ULONG PageFaultCount;
SIZE_T PeakWorkingSetSize;
SIZE_T WorkingSetSize;
SIZE_T QuotaPeakPagedPoolUsage;
SIZE_T QuotaPagedPoolUsage;
SIZE_T QuotaPeakNonPagedPoolUsage;
SIZE_T QuotaNonPagedPoolUsage;
SIZE_T PagefileUsage;
SIZE_T PeakPagefileUsage;
SIZE_T PrivatePageCount;
LARGE_INTEGER ReadOperationCount;
LARGE_INTEGER WriteOperationCount;
LARGE_INTEGER OtherOperationCount;
LARGE_INTEGER ReadTransferCount;
LARGE_INTEGER WriteTransferCount;
LARGE_INTEGER OtherTransferCount;
SYSTEM_THREAD_INFORMATION Threads[1]; // SystemProcessInformation
// SYSTEM_EXTENDED_THREAD_INFORMATION Threads[1]; // SystemExtendedProcessinformation
// SYSTEM_EXTENDED_THREAD_INFORMATION + SYSTEM_PROCESS_INFORMATION_EXTENSION // SystemFullProcessInformation
} SYSTEM_PROCESS_INFORMATION, * PSYSTEM_PROCESS_INFORMATION;
typedef struct _SYSTEM_CALL_COUNT_INFORMATION
{
ULONG Length;
ULONG NumberOfTables;
} SYSTEM_CALL_COUNT_INFORMATION, * PSYSTEM_CALL_COUNT_INFORMATION;
typedef struct _SYSTEM_DEVICE_INFORMATION
{
ULONG NumberOfDisks;
ULONG NumberOfFloppies;
ULONG NumberOfCdRoms;
ULONG NumberOfTapes;
ULONG NumberOfSerialPorts;
ULONG NumberOfParallelPorts;
} SYSTEM_DEVICE_INFORMATION, * PSYSTEM_DEVICE_INFORMATION;
typedef struct _SYSTEM_PROCESSOR_PERFORMANCE_INFORMATION
{
LARGE_INTEGER IdleTime;
LARGE_INTEGER KernelTime;
LARGE_INTEGER UserTime;
LARGE_INTEGER DpcTime;
LARGE_INTEGER InterruptTime;
ULONG InterruptCount;
} SYSTEM_PROCESSOR_PERFORMANCE_INFORMATION, * PSYSTEM_PROCESSOR_PERFORMANCE_INFORMATION;
typedef struct _SYSTEM_FLAGS_INFORMATION
{
ULONG Flags; // NtGlobalFlag
} SYSTEM_FLAGS_INFORMATION, * PSYSTEM_FLAGS_INFORMATION;
// private
typedef struct _SYSTEM_CALL_TIME_INFORMATION
{
ULONG Length;
ULONG TotalCalls;
LARGE_INTEGER TimeOfCalls[1];
} SYSTEM_CALL_TIME_INFORMATION, * PSYSTEM_CALL_TIME_INFORMATION;
// private
typedef struct _RTL_PROCESS_LOCK_INFORMATION
{
PVOID Address;
USHORT Type;
USHORT CreatorBackTraceIndex;
HANDLE OwningThread;
LONG LockCount;
ULONG ContentionCount;
ULONG EntryCount;
LONG RecursionCount;
ULONG NumberOfWaitingShared;
ULONG NumberOfWaitingExclusive;
} RTL_PROCESS_LOCK_INFORMATION, * PRTL_PROCESS_LOCK_INFORMATION;
// private
typedef struct _RTL_PROCESS_LOCKS
{
ULONG NumberOfLocks;
RTL_PROCESS_LOCK_INFORMATION Locks[1];
} RTL_PROCESS_LOCKS, * PRTL_PROCESS_LOCKS;
// private
typedef struct _RTL_PROCESS_BACKTRACE_INFORMATION
{
PCHAR SymbolicBackTrace;
ULONG TraceCount;
USHORT Index;
USHORT Depth;
PVOID BackTrace[32];
} RTL_PROCESS_BACKTRACE_INFORMATION, * PRTL_PROCESS_BACKTRACE_INFORMATION;
// private
typedef struct _RTL_PROCESS_BACKTRACES
{
ULONG CommittedMemory;
ULONG ReservedMemory;
ULONG NumberOfBackTraceLookups;
ULONG NumberOfBackTraces;
RTL_PROCESS_BACKTRACE_INFORMATION BackTraces[1];
} RTL_PROCESS_BACKTRACES, * PRTL_PROCESS_BACKTRACES;
typedef struct _SYSTEM_HANDLE_TABLE_ENTRY_INFO
{
USHORT UniqueProcessId;
USHORT CreatorBackTraceIndex;
UCHAR ObjectTypeIndex;
UCHAR HandleAttributes;
USHORT HandleValue;
PVOID Object;
ULONG GrantedAccess;
} SYSTEM_HANDLE_TABLE_ENTRY_INFO, * PSYSTEM_HANDLE_TABLE_ENTRY_INFO;
typedef struct _SYSTEM_HANDLE_INFORMATION
{
ULONG NumberOfHandles;
SYSTEM_HANDLE_TABLE_ENTRY_INFO Handles[1];
} SYSTEM_HANDLE_INFORMATION, * PSYSTEM_HANDLE_INFORMATION;
typedef struct _SYSTEM_OBJECTTYPE_INFORMATION
{
ULONG NextEntryOffset;
ULONG NumberOfObjects;
ULONG NumberOfHandles;
ULONG TypeIndex;
ULONG InvalidAttributes;
GENERIC_MAPPING GenericMapping;
ULONG ValidAccessMask;
ULONG PoolType;
BOOLEAN SecurityRequired;
BOOLEAN WaitableObject;
UNICODE_STRING TypeName;
} SYSTEM_OBJECTTYPE_INFORMATION, * PSYSTEM_OBJECTTYPE_INFORMATION;
typedef struct _SYSTEM_OBJECT_INFORMATION
{
ULONG NextEntryOffset;
PVOID Object;
HANDLE CreatorUniqueProcess;
USHORT CreatorBackTraceIndex;
USHORT Flags;
LONG PointerCount;
LONG HandleCount;
ULONG PagedPoolCharge;
ULONG NonPagedPoolCharge;
HANDLE ExclusiveProcessId;
PVOID SecurityDescriptor;
UNICODE_STRING NameInfo;
} SYSTEM_OBJECT_INFORMATION, * PSYSTEM_OBJECT_INFORMATION;
typedef struct _SYSTEM_PAGEFILE_INFORMATION
{
ULONG NextEntryOffset;
ULONG TotalSize;
ULONG TotalInUse;
ULONG PeakUsage;
UNICODE_STRING PageFileName;
} SYSTEM_PAGEFILE_INFORMATION, * PSYSTEM_PAGEFILE_INFORMATION;
typedef struct _SYSTEM_VDM_INSTEMUL_INFO
{
ULONG SegmentNotPresent;
ULONG VdmOpcode0F;
ULONG OpcodeESPrefix;
ULONG OpcodeCSPrefix;
ULONG OpcodeSSPrefix;
ULONG OpcodeDSPrefix;
ULONG OpcodeFSPrefix;
ULONG OpcodeGSPrefix;
ULONG OpcodeOPER32Prefix;
ULONG OpcodeADDR32Prefix;
ULONG OpcodeINSB;
ULONG OpcodeINSW;
ULONG OpcodeOUTSB;
ULONG OpcodeOUTSW;
ULONG OpcodePUSHF;
ULONG OpcodePOPF;
ULONG OpcodeINTnn;
ULONG OpcodeINTO;
ULONG OpcodeIRET;
ULONG OpcodeINBimm;
ULONG OpcodeINWimm;
ULONG OpcodeOUTBimm;
ULONG OpcodeOUTWimm;
ULONG OpcodeINB;
ULONG OpcodeINW;
ULONG OpcodeOUTB;
ULONG OpcodeOUTW;
ULONG OpcodeLOCKPrefix;
ULONG OpcodeREPNEPrefix;
ULONG OpcodeREPPrefix;
ULONG OpcodeHLT;
ULONG OpcodeCLI;
ULONG OpcodeSTI;
ULONG BopCount;
} SYSTEM_VDM_INSTEMUL_INFO, * PSYSTEM_VDM_INSTEMUL_INFO;
#define MM_WORKING_SET_MAX_HARD_ENABLE 0x1
#define MM_WORKING_SET_MAX_HARD_DISABLE 0x2
#define MM_WORKING_SET_MIN_HARD_ENABLE 0x4
#define MM_WORKING_SET_MIN_HARD_DISABLE 0x8
typedef struct _SYSTEM_FILECACHE_INFORMATION
{
SIZE_T CurrentSize;
SIZE_T PeakSize;
ULONG PageFaultCount;
SIZE_T MinimumWorkingSet;
SIZE_T MaximumWorkingSet;
SIZE_T CurrentSizeIncludingTransitionInPages;
SIZE_T PeakSizeIncludingTransitionInPages;
ULONG TransitionRePurposeCount;
ULONG Flags;
} SYSTEM_FILECACHE_INFORMATION, * PSYSTEM_FILECACHE_INFORMATION;
// Can be used instead of SYSTEM_FILECACHE_INFORMATION
typedef struct _SYSTEM_BASIC_WORKING_SET_INFORMATION
{
SIZE_T CurrentSize;
SIZE_T PeakSize;
ULONG PageFaultCount;
} SYSTEM_BASIC_WORKING_SET_INFORMATION, * PSYSTEM_BASIC_WORKING_SET_INFORMATION;
typedef struct _SYSTEM_POOLTAG
{
union
{
UCHAR Tag[4];
ULONG TagUlong;
};
ULONG PagedAllocs;
ULONG PagedFrees;
SIZE_T PagedUsed;
ULONG NonPagedAllocs;
ULONG NonPagedFrees;
SIZE_T NonPagedUsed;
} SYSTEM_POOLTAG, * PSYSTEM_POOLTAG;
typedef struct _SYSTEM_POOLTAG_INFORMATION
{
ULONG Count;
SYSTEM_POOLTAG TagInfo[1];
} SYSTEM_POOLTAG_INFORMATION, * PSYSTEM_POOLTAG_INFORMATION;
typedef struct _SYSTEM_INTERRUPT_INFORMATION
{
ULONG ContextSwitches;
ULONG DpcCount;
ULONG DpcRate;
ULONG TimeIncrement;
ULONG DpcBypassCount;
ULONG ApcBypassCount;
} SYSTEM_INTERRUPT_INFORMATION, * PSYSTEM_INTERRUPT_INFORMATION;
typedef struct _SYSTEM_DPC_BEHAVIOR_INFORMATION
{
ULONG Spare;
ULONG DpcQueueDepth;
ULONG MinimumDpcRate;
ULONG AdjustDpcThreshold;
ULONG IdealDpcRate;
} SYSTEM_DPC_BEHAVIOR_INFORMATION, * PSYSTEM_DPC_BEHAVIOR_INFORMATION;
typedef struct _SYSTEM_QUERY_TIME_ADJUST_INFORMATION
{
ULONG TimeAdjustment;
ULONG TimeIncrement;
BOOLEAN Enable;
} SYSTEM_QUERY_TIME_ADJUST_INFORMATION, * PSYSTEM_QUERY_TIME_ADJUST_INFORMATION;
typedef struct _SYSTEM_QUERY_TIME_ADJUST_INFORMATION_PRECISE
{
ULONGLONG TimeAdjustment;
ULONGLONG TimeIncrement;
BOOLEAN Enable;
} SYSTEM_QUERY_TIME_ADJUST_INFORMATION_PRECISE, * PSYSTEM_QUERY_TIME_ADJUST_INFORMATION_PRECISE;
typedef struct _SYSTEM_SET_TIME_ADJUST_INFORMATION
{
ULONG TimeAdjustment;
BOOLEAN Enable;
} SYSTEM_SET_TIME_ADJUST_INFORMATION, * PSYSTEM_SET_TIME_ADJUST_INFORMATION;
typedef struct _SYSTEM_SET_TIME_ADJUST_INFORMATION_PRECISE
{
ULONGLONG TimeAdjustment;
BOOLEAN Enable;
} SYSTEM_SET_TIME_ADJUST_INFORMATION_PRECISE, * PSYSTEM_SET_TIME_ADJUST_INFORMATION_PRECISE;
#ifndef _TRACEHANDLE_DEFINED
#define _TRACEHANDLE_DEFINED
typedef ULONG64 TRACEHANDLE, * PTRACEHANDLE;
#endif
typedef enum _EVENT_TRACE_INFORMATION_CLASS
{
EventTraceKernelVersionInformation, // EVENT_TRACE_VERSION_INFORMATION
EventTraceGroupMaskInformation, // EVENT_TRACE_GROUPMASK_INFORMATION
EventTracePerformanceInformation, // EVENT_TRACE_PERFORMANCE_INFORMATION
EventTraceTimeProfileInformation, // EVENT_TRACE_TIME_PROFILE_INFORMATION
EventTraceSessionSecurityInformation, // EVENT_TRACE_SESSION_SECURITY_INFORMATION
EventTraceSpinlockInformation, // EVENT_TRACE_SPINLOCK_INFORMATION
EventTraceStackTracingInformation, // EVENT_TRACE_SYSTEM_EVENT_INFORMATION
EventTraceExecutiveResourceInformation, // EVENT_TRACE_EXECUTIVE_RESOURCE_INFORMATION
EventTraceHeapTracingInformation, // EVENT_TRACE_HEAP_TRACING_INFORMATION
EventTraceHeapSummaryTracingInformation, // EVENT_TRACE_HEAP_TRACING_INFORMATION
EventTracePoolTagFilterInformation, // EVENT_TRACE_TAG_FILTER_INFORMATION
EventTracePebsTracingInformation, // EVENT_TRACE_SYSTEM_EVENT_INFORMATION
EventTraceProfileConfigInformation, // EVENT_TRACE_PROFILE_COUNTER_INFORMATION
EventTraceProfileSourceListInformation, // EVENT_TRACE_PROFILE_LIST_INFORMATION
EventTraceProfileEventListInformation, // EVENT_TRACE_SYSTEM_EVENT_INFORMATION
EventTraceProfileCounterListInformation, // EVENT_TRACE_PROFILE_COUNTER_INFORMATION
EventTraceStackCachingInformation, // EVENT_TRACE_STACK_CACHING_INFORMATION
EventTraceObjectTypeFilterInformation, // EVENT_TRACE_TAG_FILTER_INFORMATION
EventTraceSoftRestartInformation, // EVENT_TRACE_SOFT_RESTART_INFORMATION
EventTraceLastBranchConfigurationInformation, // REDSTONE3
EventTraceLastBranchEventListInformation,
EventTraceProfileSourceAddInformation, // EVENT_TRACE_PROFILE_ADD_INFORMATION // REDSTONE4
EventTraceProfileSourceRemoveInformation, // EVENT_TRACE_PROFILE_REMOVE_INFORMATION
EventTraceProcessorTraceConfigurationInformation,
EventTraceProcessorTraceEventListInformation,
EventTraceCoverageSamplerInformation, // EVENT_TRACE_COVERAGE_SAMPLER_INFORMATION
EventTraceUnifiedStackCachingInformation, // sicne 21H1
MaxEventTraceInfoClass
} EVENT_TRACE_INFORMATION_CLASS;
typedef struct _EVENT_TRACE_VERSION_INFORMATION
{
EVENT_TRACE_INFORMATION_CLASS EventTraceInformationClass;
ULONG EventTraceKernelVersion;
} EVENT_TRACE_VERSION_INFORMATION, * PEVENT_TRACE_VERSION_INFORMATION;
#define PERF_MASK_INDEX (0xe0000000)
#define PERF_MASK_GROUP (~PERF_MASK_INDEX)
#define PERF_NUM_MASKS 8
#define PERF_GET_MASK_INDEX(GM) (((GM) & PERF_MASK_INDEX) >> 29)
#define PERF_GET_MASK_GROUP(GM) ((GM) & PERF_MASK_GROUP)
#define PERFINFO_OR_GROUP_WITH_GROUPMASK(Group, pGroupMask) \
(pGroupMask)->Masks[PERF_GET_MASK_INDEX(Group)] |= PERF_GET_MASK_GROUP(Group);
// Masks[0]
#define PERF_PROCESS EVENT_TRACE_FLAG_PROCESS
#define PERF_THREAD EVENT_TRACE_FLAG_THREAD
#define PERF_PROC_THREAD EVENT_TRACE_FLAG_PROCESS | EVENT_TRACE_FLAG_THREAD
#define PERF_LOADER EVENT_TRACE_FLAG_IMAGE_LOAD
#define PERF_PERF_COUNTER EVENT_TRACE_FLAG_PROCESS_COUNTERS
#define PERF_FILENAME EVENT_TRACE_FLAG_DISK_FILE_IO
#define PERF_DISK_IO EVENT_TRACE_FLAG_DISK_FILE_IO | EVENT_TRACE_FLAG_DISK_IO
#define PERF_DISK_IO_INIT EVENT_TRACE_FLAG_DISK_IO_INIT
#define PERF_ALL_FAULTS EVENT_TRACE_FLAG_MEMORY_PAGE_FAULTS
#define PERF_HARD_FAULTS EVENT_TRACE_FLAG_MEMORY_HARD_FAULTS
#define PERF_VAMAP EVENT_TRACE_FLAG_VAMAP
#define PERF_NETWORK EVENT_TRACE_FLAG_NETWORK_TCPIP
#define PERF_REGISTRY EVENT_TRACE_FLAG_REGISTRY
#define PERF_DBGPRINT EVENT_TRACE_FLAG_DBGPRINT
#define PERF_JOB EVENT_TRACE_FLAG_JOB
#define PERF_ALPC EVENT_TRACE_FLAG_ALPC
#define PERF_SPLIT_IO EVENT_TRACE_FLAG_SPLIT_IO
#define PERF_DEBUG_EVENTS EVENT_TRACE_FLAG_DEBUG_EVENTS
#define PERF_FILE_IO EVENT_TRACE_FLAG_FILE_IO
#define PERF_FILE_IO_INIT EVENT_TRACE_FLAG_FILE_IO_INIT
#define PERF_NO_SYSCONFIG EVENT_TRACE_FLAG_NO_SYSCONFIG
// Masks[1]
#define PERF_MEMORY 0x20000001
#define PERF_PROFILE 0x20000002 // equivalent to EVENT_TRACE_FLAG_PROFILE
#define PERF_CONTEXT_SWITCH 0x20000004 // equivalent to EVENT_TRACE_FLAG_CSWITCH
#define PERF_FOOTPRINT 0x20000008
#define PERF_DRIVERS 0x20000010 // equivalent to EVENT_TRACE_FLAG_DRIVER
#define PERF_REFSET 0x20000020
#define PERF_POOL 0x20000040
#define PERF_POOLTRACE 0x20000041
#define PERF_DPC 0x20000080 // equivalent to EVENT_TRACE_FLAG_DPC
#define PERF_COMPACT_CSWITCH 0x20000100
#define PERF_DISPATCHER 0x20000200 // equivalent to EVENT_TRACE_FLAG_DISPATCHER
#define PERF_PMC_PROFILE 0x20000400
#define PERF_PROFILING 0x20000402
#define PERF_PROCESS_INSWAP 0x20000800
#define PERF_AFFINITY 0x20001000
#define PERF_PRIORITY 0x20002000
#define PERF_INTERRUPT 0x20004000 // equivalent to EVENT_TRACE_FLAG_INTERRUPT
#define PERF_VIRTUAL_ALLOC 0x20008000 // equivalent to EVENT_TRACE_FLAG_VIRTUAL_ALLOC
#define PERF_SPINLOCK 0x20010000
#define PERF_SYNC_OBJECTS 0x20020000
#define PERF_DPC_QUEUE 0x20040000
#define PERF_MEMINFO 0x20080000
#define PERF_CONTMEM_GEN 0x20100000
#define PERF_SPINLOCK_CNTRS 0x20200000
#define PERF_SPININSTR 0x20210000
#define PERF_SESSION 0x20400000
#define PERF_PFSECTION 0x20400000
#define PERF_MEMINFO_WS 0x20800000
#define PERF_KERNEL_QUEUE 0x21000000
#define PERF_INTERRUPT_STEER 0x22000000
#define PERF_SHOULD_YIELD 0x24000000
#define PERF_WS 0x28000000
// Masks[2]
#define PERF_ANTI_STARVATION 0x40000001
#define PERF_PROCESS_FREEZE 0x40000002
#define PERF_PFN_LIST 0x40000004
#define PERF_WS_DETAIL 0x40000008
#define PERF_WS_ENTRY 0x40000010
#define PERF_HEAP 0x40000020
#define PERF_SYSCALL 0x40000040 // equivalent to EVENT_TRACE_FLAG_SYSTEMCALL
#define PERF_UMS 0x40000080
#define PERF_BACKTRACE 0x40000100
#define PERF_VULCAN 0x40000200
#define PERF_OBJECTS 0x40000400
#define PERF_EVENTS 0x40000800
#define PERF_FULLTRACE 0x40001000
#define PERF_DFSS 0x40002000
#define PERF_PREFETCH 0x40004000
#define PERF_PROCESSOR_IDLE 0x40008000
#define PERF_CPU_CONFIG 0x40010000
#define PERF_TIMER 0x40020000
#define PERF_CLOCK_INTERRUPT 0x40040000
#define PERF_LOAD_BALANCER 0x40080000
#define PERF_CLOCK_TIMER 0x40100000
#define PERF_IDLE_SELECTION 0x40200000
#define PERF_IPI 0x40400000
#define PERF_IO_TIMER 0x40800000
#define PERF_REG_HIVE 0x41000000
#define PERF_REG_NOTIF 0x42000000
#define PERF_PPM_EXIT_LATENCY 0x44000000
#define PERF_WORKER_THREAD 0x48000000
// Masks[4]
#define PERF_OPTICAL_IO 0x80000001
#define PERF_OPTICAL_IO_INIT 0x80000002
#define PERF_DLL_INFO 0x80000008
#define PERF_DLL_FLUSH_WS 0x80000010
#define PERF_OB_HANDLE 0x80000040
#define PERF_OB_OBJECT 0x80000080
#define PERF_WAKE_DROP 0x80000200
#define PERF_WAKE_EVENT 0x80000400
#define PERF_DEBUGGER 0x80000800
#define PERF_PROC_ATTACH 0x80001000
#define PERF_WAKE_COUNTER 0x80002000
#define PERF_POWER 0x80008000
#define PERF_SOFT_TRIM 0x80010000
#define PERF_CC 0x80020000
#define PERF_FLT_IO_INIT 0x80080000
#define PERF_FLT_IO 0x80100000
#define PERF_FLT_FASTIO 0x80200000
#define PERF_FLT_IO_FAILURE 0x80400000
#define PERF_HV_PROFILE 0x80800000
#define PERF_WDF_DPC 0x81000000
#define PERF_WDF_INTERRUPT 0x82000000
#define PERF_CACHE_FLUSH 0x84000000
// Masks[5]
#define PERF_HIBER_RUNDOWN 0xA0000001
// Masks[6]
#define PERF_SYSCFG_SYSTEM 0xC0000001
#define PERF_SYSCFG_GRAPHICS 0xC0000002
#define PERF_SYSCFG_STORAGE 0xC0000004
#define PERF_SYSCFG_NETWORK 0xC0000008
#define PERF_SYSCFG_SERVICES 0xC0000010
#define PERF_SYSCFG_PNP 0xC0000020
#define PERF_SYSCFG_OPTICAL 0xC0000040
#define PERF_SYSCFG_ALL 0xDFFFFFFF
// Masks[7] - Control Mask. All flags that change system behavior go here.
#define PERF_CLUSTER_OFF 0xE0000001
#define PERF_MEMORY_CONTROL 0xE0000002
typedef ULONG PERFINFO_MASK;
typedef struct _PERFINFO_GROUPMASK
{
ULONG Masks[PERF_NUM_MASKS];
} PERFINFO_GROUPMASK, * PPERFINFO_GROUPMASK;
typedef struct _EVENT_TRACE_GROUPMASK_INFORMATION
{
EVENT_TRACE_INFORMATION_CLASS EventTraceInformationClass;
TRACEHANDLE TraceHandle;
PERFINFO_GROUPMASK EventTraceGroupMasks;
} EVENT_TRACE_GROUPMASK_INFORMATION, * PEVENT_TRACE_GROUPMASK_INFORMATION;
typedef struct _EVENT_TRACE_PERFORMANCE_INFORMATION
{
EVENT_TRACE_INFORMATION_CLASS EventTraceInformationClass;
LARGE_INTEGER LogfileBytesWritten;
} EVENT_TRACE_PERFORMANCE_INFORMATION, * PEVENT_TRACE_PERFORMANCE_INFORMATION;
typedef struct _EVENT_TRACE_TIME_PROFILE_INFORMATION
{
EVENT_TRACE_INFORMATION_CLASS EventTraceInformationClass;
ULONG ProfileInterval;
} EVENT_TRACE_TIME_PROFILE_INFORMATION, * PEVENT_TRACE_TIME_PROFILE_INFORMATION;
typedef struct _EVENT_TRACE_SESSION_SECURITY_INFORMATION
{
EVENT_TRACE_INFORMATION_CLASS EventTraceInformationClass;
ULONG SecurityInformation;
TRACEHANDLE TraceHandle;
UCHAR SecurityDescriptor[1];
} EVENT_TRACE_SESSION_SECURITY_INFORMATION, * PEVENT_TRACE_SESSION_SECURITY_INFORMATION;
typedef struct _EVENT_TRACE_SPINLOCK_INFORMATION
{
EVENT_TRACE_INFORMATION_CLASS EventTraceInformationClass;
ULONG SpinLockSpinThreshold;
ULONG SpinLockAcquireSampleRate;
ULONG SpinLockContentionSampleRate;
ULONG SpinLockHoldThreshold;
} EVENT_TRACE_SPINLOCK_INFORMATION, * PEVENT_TRACE_SPINLOCK_INFORMATION;
typedef struct _EVENT_TRACE_SYSTEM_EVENT_INFORMATION
{
EVENT_TRACE_INFORMATION_CLASS EventTraceInformationClass;
TRACEHANDLE TraceHandle;
ULONG HookId[1];
} EVENT_TRACE_SYSTEM_EVENT_INFORMATION, * PEVENT_TRACE_SYSTEM_EVENT_INFORMATION;
typedef struct _EVENT_TRACE_EXECUTIVE_RESOURCE_INFORMATION
{
EVENT_TRACE_INFORMATION_CLASS EventTraceInformationClass;
ULONG ReleaseSamplingRate;
ULONG ContentionSamplingRate;
ULONG NumberOfExcessiveTimeouts;
} EVENT_TRACE_EXECUTIVE_RESOURCE_INFORMATION, * PEVENT_TRACE_EXECUTIVE_RESOURCE_INFORMATION;
typedef struct _EVENT_TRACE_HEAP_TRACING_INFORMATION
{
EVENT_TRACE_INFORMATION_CLASS EventTraceInformationClass;
ULONG ProcessId;
} EVENT_TRACE_HEAP_TRACING_INFORMATION, * PEVENT_TRACE_HEAP_TRACING_INFORMATION;
typedef struct _EVENT_TRACE_TAG_FILTER_INFORMATION
{
EVENT_TRACE_INFORMATION_CLASS EventTraceInformationClass;
TRACEHANDLE TraceHandle;
ULONG Filter[1];
} EVENT_TRACE_TAG_FILTER_INFORMATION, * PEVENT_TRACE_TAG_FILTER_INFORMATION;
typedef struct _EVENT_TRACE_PROFILE_COUNTER_INFORMATION
{
EVENT_TRACE_INFORMATION_CLASS EventTraceInformationClass;
TRACEHANDLE TraceHandle;
ULONG ProfileSource[1];
} EVENT_TRACE_PROFILE_COUNTER_INFORMATION, * PEVENT_TRACE_PROFILE_COUNTER_INFORMATION;
//typedef struct _PROFILE_SOURCE_INFO
//{
// ULONG NextEntryOffset;
// ULONG Source;
// ULONG MinInterval;
// ULONG MaxInterval;
// PVOID Reserved;
// WCHAR Description[1];
//} PROFILE_SOURCE_INFO, *PPROFILE_SOURCE_INFO;
typedef struct _EVENT_TRACE_PROFILE_LIST_INFORMATION
{
EVENT_TRACE_INFORMATION_CLASS EventTraceInformationClass;
ULONG Spare;
struct _PROFILE_SOURCE_INFO* Profile[1];
} EVENT_TRACE_PROFILE_LIST_INFORMATION, * PEVENT_TRACE_PROFILE_LIST_INFORMATION;
typedef struct _EVENT_TRACE_STACK_CACHING_INFORMATION
{
EVENT_TRACE_INFORMATION_CLASS EventTraceInformationClass;
TRACEHANDLE TraceHandle;
BOOLEAN Enabled;
UCHAR Reserved[3];
ULONG CacheSize;
ULONG BucketCount;
} EVENT_TRACE_STACK_CACHING_INFORMATION, * PEVENT_TRACE_STACK_CACHING_INFORMATION;
typedef struct _EVENT_TRACE_SOFT_RESTART_INFORMATION
{
EVENT_TRACE_INFORMATION_CLASS EventTraceInformationClass;
TRACEHANDLE TraceHandle;
BOOLEAN PersistTraceBuffers;
WCHAR FileName[1];
} EVENT_TRACE_SOFT_RESTART_INFORMATION, * PEVENT_TRACE_SOFT_RESTART_INFORMATION;
typedef struct _EVENT_TRACE_PROFILE_ADD_INFORMATION
{
EVENT_TRACE_INFORMATION_CLASS EventTraceInformationClass;
BOOLEAN PerfEvtEventSelect;
BOOLEAN PerfEvtUnitSelect;
ULONG PerfEvtType;
ULONG CpuInfoHierarchy[0x3];
ULONG InitialInterval;
BOOLEAN AllowsHalt;
BOOLEAN Persist;
WCHAR ProfileSourceDescription[0x1];
} EVENT_TRACE_PROFILE_ADD_INFORMATION, * PEVENT_TRACE_PROFILE_ADD_INFORMATION;
typedef struct _EVENT_TRACE_PROFILE_REMOVE_INFORMATION
{
EVENT_TRACE_INFORMATION_CLASS EventTraceInformationClass;
KPROFILE_SOURCE ProfileSource;
ULONG CpuInfoHierarchy[0x3];
} EVENT_TRACE_PROFILE_REMOVE_INFORMATION, * PEVENT_TRACE_PROFILE_REMOVE_INFORMATION;
typedef struct _EVENT_TRACE_COVERAGE_SAMPLER_INFORMATION
{
EVENT_TRACE_INFORMATION_CLASS EventTraceInformationClass;
BOOLEAN CoverageSamplerInformationClass;
UCHAR MajorVersion;
UCHAR MinorVersion;
UCHAR Reserved;
HANDLE SamplerHandle;
} EVENT_TRACE_COVERAGE_SAMPLER_INFORMATION, * PEVENT_TRACE_COVERAGE_SAMPLER_INFORMATION;
typedef struct _SYSTEM_EXCEPTION_INFORMATION
{
ULONG AlignmentFixupCount;
ULONG ExceptionDispatchCount;
ULONG FloatingEmulationCount;
ULONG ByteWordEmulationCount;
} SYSTEM_EXCEPTION_INFORMATION, * PSYSTEM_EXCEPTION_INFORMATION;
typedef enum _SYSTEM_CRASH_DUMP_CONFIGURATION_CLASS
{
SystemCrashDumpDisable,
SystemCrashDumpReconfigure,
SystemCrashDumpInitializationComplete
} SYSTEM_CRASH_DUMP_CONFIGURATION_CLASS, * PSYSTEM_CRASH_DUMP_CONFIGURATION_CLASS;
typedef struct _SYSTEM_CRASH_DUMP_STATE_INFORMATION
{
SYSTEM_CRASH_DUMP_CONFIGURATION_CLASS CrashDumpConfigurationClass;
} SYSTEM_CRASH_DUMP_STATE_INFORMATION, * PSYSTEM_CRASH_DUMP_STATE_INFORMATION;
typedef struct _SYSTEM_KERNEL_DEBUGGER_INFORMATION
{
BOOLEAN KernelDebuggerEnabled;
BOOLEAN KernelDebuggerNotPresent;
} SYSTEM_KERNEL_DEBUGGER_INFORMATION, * PSYSTEM_KERNEL_DEBUGGER_INFORMATION;
typedef struct _SYSTEM_CONTEXT_SWITCH_INFORMATION
{
ULONG ContextSwitches;
ULONG FindAny;
ULONG FindLast;
ULONG FindIdeal;
ULONG IdleAny;
ULONG IdleCurrent;
ULONG IdleLast;
ULONG IdleIdeal;
ULONG PreemptAny;
ULONG PreemptCurrent;
ULONG PreemptLast;
ULONG SwitchToIdle;
} SYSTEM_CONTEXT_SWITCH_INFORMATION, * PSYSTEM_CONTEXT_SWITCH_INFORMATION;
typedef struct _SYSTEM_REGISTRY_QUOTA_INFORMATION
{
ULONG RegistryQuotaAllowed;
ULONG RegistryQuotaUsed;
SIZE_T PagedPoolSize;
} SYSTEM_REGISTRY_QUOTA_INFORMATION, * PSYSTEM_REGISTRY_QUOTA_INFORMATION;
typedef struct _SYSTEM_PROCESSOR_IDLE_INFORMATION
{
ULONGLONG IdleTime;
ULONGLONG C1Time;
ULONGLONG C2Time;
ULONGLONG C3Time;
ULONG C1Transitions;
ULONG C2Transitions;
ULONG C3Transitions;
ULONG Padding;
} SYSTEM_PROCESSOR_IDLE_INFORMATION, * PSYSTEM_PROCESSOR_IDLE_INFORMATION;
typedef struct _SYSTEM_LEGACY_DRIVER_INFORMATION
{
ULONG VetoType;
UNICODE_STRING VetoList;
} SYSTEM_LEGACY_DRIVER_INFORMATION, * PSYSTEM_LEGACY_DRIVER_INFORMATION;
typedef struct _SYSTEM_LOOKASIDE_INFORMATION
{
USHORT CurrentDepth;
USHORT MaximumDepth;
ULONG TotalAllocates;
ULONG AllocateMisses;
ULONG TotalFrees;
ULONG FreeMisses;
ULONG Type;
ULONG Tag;
ULONG Size;
} SYSTEM_LOOKASIDE_INFORMATION, * PSYSTEM_LOOKASIDE_INFORMATION;
// private
typedef struct _SYSTEM_RANGE_START_INFORMATION
{
PVOID SystemRangeStart;
} SYSTEM_RANGE_START_INFORMATION, * PSYSTEM_RANGE_START_INFORMATION;
typedef struct _SYSTEM_VERIFIER_INFORMATION_LEGACY // pre-19H1
{
ULONG NextEntryOffset;
ULONG Level;
UNICODE_STRING DriverName;
ULONG RaiseIrqls;
ULONG AcquireSpinLocks;
ULONG SynchronizeExecutions;
ULONG AllocationsAttempted;
ULONG AllocationsSucceeded;
ULONG AllocationsSucceededSpecialPool;
ULONG AllocationsWithNoTag;
ULONG TrimRequests;
ULONG Trims;
ULONG AllocationsFailed;
ULONG AllocationsFailedDeliberately;
ULONG Loads;
ULONG Unloads;
ULONG UnTrackedPool;
ULONG CurrentPagedPoolAllocations;
ULONG CurrentNonPagedPoolAllocations;
ULONG PeakPagedPoolAllocations;
ULONG PeakNonPagedPoolAllocations;
SIZE_T PagedPoolUsageInBytes;
SIZE_T NonPagedPoolUsageInBytes;
SIZE_T PeakPagedPoolUsageInBytes;
SIZE_T PeakNonPagedPoolUsageInBytes;
} SYSTEM_VERIFIER_INFORMATION_LEGACY, * PSYSTEM_VERIFIER_INFORMATION_LEGACY;
typedef struct _SYSTEM_VERIFIER_INFORMATION
{
ULONG NextEntryOffset;
ULONG Level;
ULONG RuleClasses[2];
ULONG TriageContext;
ULONG AreAllDriversBeingVerified;
UNICODE_STRING DriverName;
ULONG RaiseIrqls;
ULONG AcquireSpinLocks;
ULONG SynchronizeExecutions;
ULONG AllocationsAttempted;
ULONG AllocationsSucceeded;
ULONG AllocationsSucceededSpecialPool;
ULONG AllocationsWithNoTag;
ULONG TrimRequests;
ULONG Trims;
ULONG AllocationsFailed;
ULONG AllocationsFailedDeliberately;
ULONG Loads;
ULONG Unloads;
ULONG UnTrackedPool;
ULONG CurrentPagedPoolAllocations;
ULONG CurrentNonPagedPoolAllocations;
ULONG PeakPagedPoolAllocations;
ULONG PeakNonPagedPoolAllocations;
SIZE_T PagedPoolUsageInBytes;
SIZE_T NonPagedPoolUsageInBytes;
SIZE_T PeakPagedPoolUsageInBytes;
SIZE_T PeakNonPagedPoolUsageInBytes;
} SYSTEM_VERIFIER_INFORMATION, * PSYSTEM_VERIFIER_INFORMATION;
typedef struct _SYSTEM_SESSION_PROCESS_INFORMATION
{
ULONG SessionId;
ULONG SizeOfBuf;
PVOID Buffer;
} SYSTEM_SESSION_PROCESS_INFORMATION, * PSYSTEM_SESSION_PROCESS_INFORMATION;
typedef struct _SYSTEM_PROCESSOR_POWER_INFORMATION
{
UCHAR CurrentFrequency;
UCHAR ThermalLimitFrequency;
UCHAR ConstantThrottleFrequency;
UCHAR DegradedThrottleFrequency;
UCHAR LastBusyFrequency;
UCHAR LastC3Frequency;
UCHAR LastAdjustedBusyFrequency;
UCHAR ProcessorMinThrottle;
UCHAR ProcessorMaxThrottle;
ULONG NumberOfFrequencies;
ULONG PromotionCount;
ULONG DemotionCount;
ULONG ErrorCount;
ULONG RetryCount;
ULONGLONG CurrentFrequencyTime;
ULONGLONG CurrentProcessorTime;
ULONGLONG CurrentProcessorIdleTime;
ULONGLONG LastProcessorTime;
ULONGLONG LastProcessorIdleTime;
ULONGLONG Energy;
} SYSTEM_PROCESSOR_POWER_INFORMATION, * PSYSTEM_PROCESSOR_POWER_INFORMATION;
typedef struct _SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX
{
PVOID Object;
ULONG_PTR UniqueProcessId;
ULONG_PTR HandleValue;
ULONG GrantedAccess;
USHORT CreatorBackTraceIndex;
USHORT ObjectTypeIndex;
ULONG HandleAttributes;
ULONG Reserved;
} SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX, * PSYSTEM_HANDLE_TABLE_ENTRY_INFO_EX;
typedef struct _SYSTEM_HANDLE_INFORMATION_EX
{
ULONG_PTR NumberOfHandles;
ULONG_PTR Reserved;
SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX Handles[1];
} SYSTEM_HANDLE_INFORMATION_EX, * PSYSTEM_HANDLE_INFORMATION_EX;
typedef struct _SYSTEM_BIGPOOL_ENTRY
{
union
{
PVOID VirtualAddress;
ULONG_PTR NonPaged : 1;
};
SIZE_T SizeInBytes;
union
{
UCHAR Tag[4];
ULONG TagUlong;
};
} SYSTEM_BIGPOOL_ENTRY, * PSYSTEM_BIGPOOL_ENTRY;
typedef struct _SYSTEM_BIGPOOL_INFORMATION
{
ULONG Count;
SYSTEM_BIGPOOL_ENTRY AllocatedInfo[1];
} SYSTEM_BIGPOOL_INFORMATION, * PSYSTEM_BIGPOOL_INFORMATION;
typedef struct _SYSTEM_POOL_ENTRY
{
BOOLEAN Allocated;
BOOLEAN Spare0;
USHORT AllocatorBackTraceIndex;
ULONG Size;
union
{
UCHAR Tag[4];
ULONG TagUlong;
PVOID ProcessChargedQuota;
};
} SYSTEM_POOL_ENTRY, * PSYSTEM_POOL_ENTRY;
typedef struct _SYSTEM_POOL_INFORMATION
{
SIZE_T TotalSize;
PVOID FirstEntry;
USHORT EntryOverhead;
BOOLEAN PoolTagPresent;
BOOLEAN Spare0;
ULONG NumberOfEntries;
SYSTEM_POOL_ENTRY Entries[1];
} SYSTEM_POOL_INFORMATION, * PSYSTEM_POOL_INFORMATION;
typedef struct _SYSTEM_SESSION_POOLTAG_INFORMATION
{
SIZE_T NextEntryOffset;
ULONG SessionId;
ULONG Count;
SYSTEM_POOLTAG TagInfo[1];
} SYSTEM_SESSION_POOLTAG_INFORMATION, * PSYSTEM_SESSION_POOLTAG_INFORMATION;
typedef struct _SYSTEM_SESSION_MAPPED_VIEW_INFORMATION
{
SIZE_T NextEntryOffset;
ULONG SessionId;
ULONG ViewFailures;
SIZE_T NumberOfBytesAvailable;
SIZE_T NumberOfBytesAvailableContiguous;
} SYSTEM_SESSION_MAPPED_VIEW_INFORMATION, * PSYSTEM_SESSION_MAPPED_VIEW_INFORMATION;
#ifndef _KERNEL_MODE
// private
typedef enum _SYSTEM_FIRMWARE_TABLE_ACTION
{
SystemFirmwareTableEnumerate,
SystemFirmwareTableGet,
SystemFirmwareTableMax
} SYSTEM_FIRMWARE_TABLE_ACTION;
// private
typedef struct _SYSTEM_FIRMWARE_TABLE_INFORMATION
{
ULONG ProviderSignature; // (same as the GetSystemFirmwareTable function)
SYSTEM_FIRMWARE_TABLE_ACTION Action;
ULONG TableID;
ULONG TableBufferLength;
UCHAR TableBuffer[1];
} SYSTEM_FIRMWARE_TABLE_INFORMATION, * PSYSTEM_FIRMWARE_TABLE_INFORMATION;
// private
typedef NTSTATUS(__cdecl* PFNFTH)(
_Inout_ PSYSTEM_FIRMWARE_TABLE_INFORMATION SystemFirmwareTableInfo
);
// private
typedef struct _SYSTEM_FIRMWARE_TABLE_HANDLER
{
ULONG ProviderSignature;
BOOLEAN Register;
PFNFTH FirmwareTableHandler;
PVOID DriverObject;
} SYSTEM_FIRMWARE_TABLE_HANDLER, * PSYSTEM_FIRMWARE_TABLE_HANDLER;
#endif // _KERNEL_MODE
// private
typedef struct _SYSTEM_MEMORY_LIST_INFORMATION
{
ULONG_PTR ZeroPageCount;
ULONG_PTR FreePageCount;
ULONG_PTR ModifiedPageCount;
ULONG_PTR ModifiedNoWritePageCount;
ULONG_PTR BadPageCount;
ULONG_PTR PageCountByPriority[8];
ULONG_PTR RepurposedPagesByPriority[8];
ULONG_PTR ModifiedPageCountPageFile;
} SYSTEM_MEMORY_LIST_INFORMATION, * PSYSTEM_MEMORY_LIST_INFORMATION;
// private
typedef enum _SYSTEM_MEMORY_LIST_COMMAND
{
MemoryCaptureAccessedBits,
MemoryCaptureAndResetAccessedBits,
MemoryEmptyWorkingSets,
MemoryFlushModifiedList,
MemoryPurgeStandbyList,
MemoryPurgeLowPriorityStandbyList,
MemoryCommandMax
} SYSTEM_MEMORY_LIST_COMMAND;
// private
typedef struct _SYSTEM_THREAD_CID_PRIORITY_INFORMATION
{
CLIENT_ID ClientId;
KPRIORITY Priority;
} SYSTEM_THREAD_CID_PRIORITY_INFORMATION, * PSYSTEM_THREAD_CID_PRIORITY_INFORMATION;
// private
typedef struct _SYSTEM_PROCESSOR_IDLE_CYCLE_TIME_INFORMATION
{
ULONGLONG CycleTime;
} SYSTEM_PROCESSOR_IDLE_CYCLE_TIME_INFORMATION, * PSYSTEM_PROCESSOR_IDLE_CYCLE_TIME_INFORMATION;
// private
typedef struct _SYSTEM_VERIFIER_ISSUE
{
ULONGLONG IssueType;
PVOID Address;
ULONGLONG Parameters[2];
} SYSTEM_VERIFIER_ISSUE, * PSYSTEM_VERIFIER_ISSUE;
// private
typedef struct _SYSTEM_VERIFIER_CANCELLATION_INFORMATION
{
ULONG CancelProbability;
ULONG CancelThreshold;
ULONG CompletionThreshold;
ULONG CancellationVerifierDisabled;
ULONG AvailableIssues;
SYSTEM_VERIFIER_ISSUE Issues[128];
} SYSTEM_VERIFIER_CANCELLATION_INFORMATION, * PSYSTEM_VERIFIER_CANCELLATION_INFORMATION;
// private
typedef struct _SYSTEM_REF_TRACE_INFORMATION
{
BOOLEAN TraceEnable;
BOOLEAN TracePermanent;
UNICODE_STRING TraceProcessName;
UNICODE_STRING TracePoolTags;
} SYSTEM_REF_TRACE_INFORMATION, * PSYSTEM_REF_TRACE_INFORMATION;
// private
typedef struct _SYSTEM_SPECIAL_POOL_INFORMATION
{
ULONG PoolTag;
ULONG Flags;
} SYSTEM_SPECIAL_POOL_INFORMATION, * PSYSTEM_SPECIAL_POOL_INFORMATION;
// private
typedef struct _SYSTEM_PROCESS_ID_INFORMATION
{
HANDLE ProcessId;
UNICODE_STRING ImageName;
} SYSTEM_PROCESS_ID_INFORMATION, * PSYSTEM_PROCESS_ID_INFORMATION;
#if (WDK_NTDDI_VERSION >= NTDDI_WIN10_RS3)
// private
typedef struct _SYSTEM_BOOT_ENVIRONMENT_INFORMATION
{
GUID BootIdentifier;
FIRMWARE_TYPE FirmwareType;
union
{
ULONGLONG BootFlags;
struct
{
ULONGLONG DbgMenuOsSelection : 1; // REDSTONE4
ULONGLONG DbgHiberBoot : 1;
ULONGLONG DbgSoftBoot : 1;
ULONGLONG DbgMeasuredLaunch : 1;
ULONGLONG DbgMeasuredLaunchCapable : 1; // 19H1
ULONGLONG DbgSystemHiveReplace : 1;
ULONGLONG DbgMeasuredLaunchSmmProtections : 1;
ULONGLONG DbgMeasuredLaunchSmmLevel : 7; // 20H1
};
};
} SYSTEM_BOOT_ENVIRONMENT_INFORMATION, * PSYSTEM_BOOT_ENVIRONMENT_INFORMATION;
#endif // WDK_NTDDI_VERSION >= NTDDI_WIN10_RS3
// private
typedef struct _SYSTEM_IMAGE_FILE_EXECUTION_OPTIONS_INFORMATION
{
ULONG FlagsToEnable;
ULONG FlagsToDisable;
} SYSTEM_IMAGE_FILE_EXECUTION_OPTIONS_INFORMATION, * PSYSTEM_IMAGE_FILE_EXECUTION_OPTIONS_INFORMATION;
// private
typedef struct _SYSTEM_PREFETCH_PATCH_INFORMATION
{
ULONG PrefetchPatchCount;
} SYSTEM_PREFETCH_PATCH_INFORMATION, * PSYSTEM_PREFETCH_PATCH_INFORMATION;
// private
typedef struct _SYSTEM_VERIFIER_FAULTS_INFORMATION
{
ULONG Probability;
ULONG MaxProbability;
UNICODE_STRING PoolTags;
UNICODE_STRING Applications;
} SYSTEM_VERIFIER_FAULTS_INFORMATION, * PSYSTEM_VERIFIER_FAULTS_INFORMATION;
// private
typedef struct _SYSTEM_VERIFIER_INFORMATION_EX
{
ULONG VerifyMode;
ULONG OptionChanges;
UNICODE_STRING PreviousBucketName;
ULONG IrpCancelTimeoutMsec;
ULONG VerifierExtensionEnabled;
#ifdef _WIN64
ULONG Reserved[1];
#else
ULONG Reserved[3];
#endif
} SYSTEM_VERIFIER_INFORMATION_EX, * PSYSTEM_VERIFIER_INFORMATION_EX;
// private
typedef struct _SYSTEM_SYSTEM_PARTITION_INFORMATION
{
UNICODE_STRING SystemPartition;
} SYSTEM_SYSTEM_PARTITION_INFORMATION, * PSYSTEM_SYSTEM_PARTITION_INFORMATION;
// private
typedef struct _SYSTEM_SYSTEM_DISK_INFORMATION
{
UNICODE_STRING SystemDisk;
} SYSTEM_SYSTEM_DISK_INFORMATION, * PSYSTEM_SYSTEM_DISK_INFORMATION;
// private (Windows 8.1 and above)
typedef struct _SYSTEM_PROCESSOR_PERFORMANCE_HITCOUNT
{
ULONGLONG Hits;
UCHAR PercentFrequency;
} SYSTEM_PROCESSOR_PERFORMANCE_HITCOUNT, * PSYSTEM_PROCESSOR_PERFORMANCE_HITCOUNT;
// private (Windows 7 and Windows 8)
typedef struct _SYSTEM_PROCESSOR_PERFORMANCE_HITCOUNT_WIN8
{
ULONG Hits;
UCHAR PercentFrequency;
} SYSTEM_PROCESSOR_PERFORMANCE_HITCOUNT_WIN8, * PSYSTEM_PROCESSOR_PERFORMANCE_HITCOUNT_WIN8;
// private
typedef struct _SYSTEM_PROCESSOR_PERFORMANCE_STATE_DISTRIBUTION
{
ULONG ProcessorNumber;
ULONG StateCount;
SYSTEM_PROCESSOR_PERFORMANCE_HITCOUNT States[1];
} SYSTEM_PROCESSOR_PERFORMANCE_STATE_DISTRIBUTION, * PSYSTEM_PROCESSOR_PERFORMANCE_STATE_DISTRIBUTION;
// private
typedef struct _SYSTEM_PROCESSOR_PERFORMANCE_DISTRIBUTION
{
ULONG ProcessorCount;
ULONG Offsets[1];
} SYSTEM_PROCESSOR_PERFORMANCE_DISTRIBUTION, * PSYSTEM_PROCESSOR_PERFORMANCE_DISTRIBUTION;
#define CODEINTEGRITY_OPTION_ENABLED 0x01
#define CODEINTEGRITY_OPTION_TESTSIGN 0x02
#define CODEINTEGRITY_OPTION_UMCI_ENABLED 0x04
#define CODEINTEGRITY_OPTION_UMCI_AUDITMODE_ENABLED 0x08
#define CODEINTEGRITY_OPTION_UMCI_EXCLUSIONPATHS_ENABLED 0x10
#define CODEINTEGRITY_OPTION_TEST_BUILD 0x20
#define CODEINTEGRITY_OPTION_PREPRODUCTION_BUILD 0x40
#define CODEINTEGRITY_OPTION_DEBUGMODE_ENABLED 0x80
#define CODEINTEGRITY_OPTION_FLIGHT_BUILD 0x100
#define CODEINTEGRITY_OPTION_FLIGHTING_ENABLED 0x200
#define CODEINTEGRITY_OPTION_HVCI_KMCI_ENABLED 0x400
#define CODEINTEGRITY_OPTION_HVCI_KMCI_AUDITMODE_ENABLED 0x800
#define CODEINTEGRITY_OPTION_HVCI_KMCI_STRICTMODE_ENABLED 0x1000
#define CODEINTEGRITY_OPTION_HVCI_IUM_ENABLED 0x2000
// private
typedef struct _SYSTEM_CODEINTEGRITY_INFORMATION
{
ULONG Length;
ULONG CodeIntegrityOptions;
} SYSTEM_CODEINTEGRITY_INFORMATION, * PSYSTEM_CODEINTEGRITY_INFORMATION;
// private
typedef struct _SYSTEM_PROCESSOR_MICROCODE_UPDATE_INFORMATION
{
ULONG Operation;
} SYSTEM_PROCESSOR_MICROCODE_UPDATE_INFORMATION, * PSYSTEM_PROCESSOR_MICROCODE_UPDATE_INFORMATION;
// private
typedef enum _SYSTEM_VA_TYPE
{
SystemVaTypeAll,
SystemVaTypeNonPagedPool,
SystemVaTypePagedPool,
SystemVaTypeSystemCache,
SystemVaTypeSystemPtes,
SystemVaTypeSessionSpace,
SystemVaTypeMax
} SYSTEM_VA_TYPE, * PSYSTEM_VA_TYPE;
// private
typedef struct _SYSTEM_VA_LIST_INFORMATION
{
SIZE_T VirtualSize;
SIZE_T VirtualPeak;
SIZE_T VirtualLimit;
SIZE_T AllocationFailures;
} SYSTEM_VA_LIST_INFORMATION, * PSYSTEM_VA_LIST_INFORMATION;
// rev
typedef enum _SYSTEM_STORE_INFORMATION_CLASS
{
SystemStoreCompressionInformation = 22 // q: SYSTEM_STORE_COMPRESSION_INFORMATION
} SYSTEM_STORE_INFORMATION_CLASS;
// rev
#define SYSTEM_STORE_INFORMATION_VERSION 1
// rev
typedef struct _SYSTEM_STORE_INFORMATION
{
_In_ ULONG Version;
_In_ SYSTEM_STORE_INFORMATION_CLASS StoreInformationClass;
_Inout_ PVOID Data;
_Inout_ ULONG Length;
} SYSTEM_STORE_INFORMATION, * PSYSTEM_STORE_INFORMATION;
// rev
#define SYSTEM_STORE_COMPRESSION_INFORMATION_VERSION 3
// rev
typedef struct _SYSTEM_STORE_COMPRESSION_INFORMATION
{
ULONG Version;
ULONG CompressionPid;
ULONGLONG CompressionWorkingSetSize;
ULONGLONG CompressSize;
ULONGLONG CompressedSize;
ULONGLONG NonCompressedSize;
} SYSTEM_STORE_COMPRESSION_INFORMATION, * PSYSTEM_STORE_COMPRESSION_INFORMATION;
// private
typedef struct _SYSTEM_REGISTRY_APPEND_STRING_PARAMETERS
{
HANDLE KeyHandle;
PUNICODE_STRING ValueNamePointer;
PULONG RequiredLengthPointer;
PUCHAR Buffer;
ULONG BufferLength;
ULONG Type;
PUCHAR AppendBuffer;
ULONG AppendBufferLength;
BOOLEAN CreateIfDoesntExist;
BOOLEAN TruncateExistingValue;
} SYSTEM_REGISTRY_APPEND_STRING_PARAMETERS, * PSYSTEM_REGISTRY_APPEND_STRING_PARAMETERS;
// msdn
typedef struct _SYSTEM_VHD_BOOT_INFORMATION
{
BOOLEAN OsDiskIsVhd;
ULONG OsVhdFilePathOffset;
WCHAR OsVhdParentVolume[ANYSIZE_ARRAY];
} SYSTEM_VHD_BOOT_INFORMATION, * PSYSTEM_VHD_BOOT_INFORMATION;
// private
typedef struct _PS_CPU_QUOTA_QUERY_ENTRY
{
ULONG SessionId;
ULONG Weight;
} PS_CPU_QUOTA_QUERY_ENTRY, * PPS_CPU_QUOTA_QUERY_ENTRY;
// private
typedef struct _PS_CPU_QUOTA_QUERY_INFORMATION
{
ULONG SessionCount;
PS_CPU_QUOTA_QUERY_ENTRY SessionInformation[1];
} PS_CPU_QUOTA_QUERY_INFORMATION, * PPS_CPU_QUOTA_QUERY_INFORMATION;
// private
typedef struct _SYSTEM_ERROR_PORT_TIMEOUTS
{
ULONG StartTimeout;
ULONG CommTimeout;
} SYSTEM_ERROR_PORT_TIMEOUTS, * PSYSTEM_ERROR_PORT_TIMEOUTS;
// private
typedef struct _SYSTEM_LOW_PRIORITY_IO_INFORMATION
{
ULONG LowPriReadOperations;
ULONG LowPriWriteOperations;
ULONG KernelBumpedToNormalOperations;
ULONG LowPriPagingReadOperations;
ULONG KernelPagingReadsBumpedToNormal;
ULONG LowPriPagingWriteOperations;
ULONG KernelPagingWritesBumpedToNormal;
ULONG BoostedIrpCount;
ULONG BoostedPagingIrpCount;
ULONG BlanketBoostCount;
} SYSTEM_LOW_PRIORITY_IO_INFORMATION, * PSYSTEM_LOW_PRIORITY_IO_INFORMATION;
// symbols
typedef enum _TPM_BOOT_ENTROPY_RESULT_CODE
{
TpmBootEntropyStructureUninitialized,
TpmBootEntropyDisabledByPolicy,
TpmBootEntropyNoTpmFound,
TpmBootEntropyTpmError,
TpmBootEntropySuccess
} TPM_BOOT_ENTROPY_RESULT_CODE;
// Contents of KeLoaderBlock->Extension->TpmBootEntropyResult (TPM_BOOT_ENTROPY_LDR_RESULT).
// EntropyData is truncated to 40 bytes.
// private
typedef struct _TPM_BOOT_ENTROPY_NT_RESULT
{
ULONGLONG Policy;
TPM_BOOT_ENTROPY_RESULT_CODE ResultCode;
NTSTATUS ResultStatus;
ULONGLONG Time;
ULONG EntropyLength;
UCHAR EntropyData[40];
} TPM_BOOT_ENTROPY_NT_RESULT, * PTPM_BOOT_ENTROPY_NT_RESULT;
// private
typedef struct _SYSTEM_VERIFIER_COUNTERS_INFORMATION
{
SYSTEM_VERIFIER_INFORMATION Legacy;
ULONG RaiseIrqls;
ULONG AcquireSpinLocks;
ULONG SynchronizeExecutions;
ULONG AllocationsWithNoTag;
ULONG AllocationsFailed;
ULONG AllocationsFailedDeliberately;
SIZE_T LockedBytes;
SIZE_T PeakLockedBytes;
SIZE_T MappedLockedBytes;
SIZE_T PeakMappedLockedBytes;
SIZE_T MappedIoSpaceBytes;
SIZE_T PeakMappedIoSpaceBytes;
SIZE_T PagesForMdlBytes;
SIZE_T PeakPagesForMdlBytes;
SIZE_T ContiguousMemoryBytes;
SIZE_T PeakContiguousMemoryBytes;
ULONG ExecutePoolTypes; // REDSTONE2
ULONG ExecutePageProtections;
ULONG ExecutePageMappings;
ULONG ExecuteWriteSections;
ULONG SectionAlignmentFailures;
ULONG UnsupportedRelocs;
ULONG IATInExecutableSection;
} SYSTEM_VERIFIER_COUNTERS_INFORMATION, * PSYSTEM_VERIFIER_COUNTERS_INFORMATION;
// private
typedef struct _SYSTEM_ACPI_AUDIT_INFORMATION
{
ULONG RsdpCount;
ULONG SameRsdt : 1;
ULONG SlicPresent : 1;
ULONG SlicDifferent : 1;
} SYSTEM_ACPI_AUDIT_INFORMATION, * PSYSTEM_ACPI_AUDIT_INFORMATION;
// private
typedef struct _SYSTEM_BASIC_PERFORMANCE_INFORMATION
{
SIZE_T AvailablePages;
SIZE_T CommittedPages;
SIZE_T CommitLimit;
SIZE_T PeakCommitment;
} SYSTEM_BASIC_PERFORMANCE_INFORMATION, * PSYSTEM_BASIC_PERFORMANCE_INFORMATION;
// begin_msdn
typedef struct _QUERY_PERFORMANCE_COUNTER_FLAGS
{
union
{
struct
{
ULONG KernelTransition : 1;
ULONG Reserved : 31;
};
ULONG ul;
};
} QUERY_PERFORMANCE_COUNTER_FLAGS;
typedef struct _SYSTEM_QUERY_PERFORMANCE_COUNTER_INFORMATION
{
ULONG Version;
QUERY_PERFORMANCE_COUNTER_FLAGS Flags;
QUERY_PERFORMANCE_COUNTER_FLAGS ValidFlags;
} SYSTEM_QUERY_PERFORMANCE_COUNTER_INFORMATION, * PSYSTEM_QUERY_PERFORMANCE_COUNTER_INFORMATION;
// end_msdn
// private
typedef enum _SYSTEM_PIXEL_FORMAT
{
SystemPixelFormatUnknown,
SystemPixelFormatR8G8B8,
SystemPixelFormatR8G8B8X8,
SystemPixelFormatB8G8R8,
SystemPixelFormatB8G8R8X8
} SYSTEM_PIXEL_FORMAT;
// private
typedef struct _SYSTEM_BOOT_GRAPHICS_INFORMATION
{
LARGE_INTEGER FrameBuffer;
ULONG Width;
ULONG Height;
ULONG PixelStride;
ULONG Flags;
SYSTEM_PIXEL_FORMAT Format;
ULONG DisplayRotation;
} SYSTEM_BOOT_GRAPHICS_INFORMATION, * PSYSTEM_BOOT_GRAPHICS_INFORMATION;
// private
typedef struct _MEMORY_SCRUB_INFORMATION
{
HANDLE Handle;
ULONG PagesScrubbed;
} MEMORY_SCRUB_INFORMATION, * PMEMORY_SCRUB_INFORMATION;
// private
typedef struct _PEBS_DS_SAVE_AREA32
{
ULONG BtsBufferBase;
ULONG BtsIndex;
ULONG BtsAbsoluteMaximum;
ULONG BtsInterruptThreshold;
ULONG PebsBufferBase;
ULONG PebsIndex;
ULONG PebsAbsoluteMaximum;
ULONG PebsInterruptThreshold;
ULONG PebsGpCounterReset[8];
ULONG PebsFixedCounterReset[4];
} PEBS_DS_SAVE_AREA32, * PPEBS_DS_SAVE_AREA32;
// private
typedef struct _PEBS_DS_SAVE_AREA64
{
ULONGLONG BtsBufferBase;
ULONGLONG BtsIndex;
ULONGLONG BtsAbsoluteMaximum;
ULONGLONG BtsInterruptThreshold;
ULONGLONG PebsBufferBase;
ULONGLONG PebsIndex;
ULONGLONG PebsAbsoluteMaximum;
ULONGLONG PebsInterruptThreshold;
ULONGLONG PebsGpCounterReset[8];
ULONGLONG PebsFixedCounterReset[4];
} PEBS_DS_SAVE_AREA64, * PPEBS_DS_SAVE_AREA64;
// private
typedef union _PEBS_DS_SAVE_AREA
{
PEBS_DS_SAVE_AREA32 As32Bit;
PEBS_DS_SAVE_AREA64 As64Bit;
} PEBS_DS_SAVE_AREA, * PPEBS_DS_SAVE_AREA;
// private
typedef struct _PROCESSOR_PROFILE_CONTROL_AREA
{
PEBS_DS_SAVE_AREA PebsDsSaveArea;
} PROCESSOR_PROFILE_CONTROL_AREA, * PPROCESSOR_PROFILE_CONTROL_AREA;
// private
typedef struct _SYSTEM_PROCESSOR_PROFILE_CONTROL_AREA
{
PROCESSOR_PROFILE_CONTROL_AREA ProcessorProfileControlArea;
BOOLEAN Allocate;
} SYSTEM_PROCESSOR_PROFILE_CONTROL_AREA, * PSYSTEM_PROCESSOR_PROFILE_CONTROL_AREA;
// private
typedef struct _MEMORY_COMBINE_INFORMATION
{
HANDLE Handle;
ULONG_PTR PagesCombined;
} MEMORY_COMBINE_INFORMATION, * PMEMORY_COMBINE_INFORMATION;
// rev
#define MEMORY_COMBINE_FLAGS_COMMON_PAGES_ONLY 0x4
// private
typedef struct _MEMORY_COMBINE_INFORMATION_EX
{
HANDLE Handle;
ULONG_PTR PagesCombined;
ULONG Flags;
} MEMORY_COMBINE_INFORMATION_EX, * PMEMORY_COMBINE_INFORMATION_EX;
// private
typedef struct _MEMORY_COMBINE_INFORMATION_EX2
{
HANDLE Handle;
ULONG_PTR PagesCombined;
ULONG Flags;
HANDLE ProcessHandle;
} MEMORY_COMBINE_INFORMATION_EX2, * PMEMORY_COMBINE_INFORMATION_EX2;
// private
typedef struct _SYSTEM_CONSOLE_INFORMATION
{
ULONG DriverLoaded : 1;
ULONG Spare : 31;
} SYSTEM_CONSOLE_INFORMATION, * PSYSTEM_CONSOLE_INFORMATION;
// private
typedef struct _SYSTEM_PLATFORM_BINARY_INFORMATION
{
ULONG64 PhysicalAddress;
PVOID HandoffBuffer;
PVOID CommandLineBuffer;
ULONG HandoffBufferSize;
ULONG CommandLineBufferSize;
} SYSTEM_PLATFORM_BINARY_INFORMATION, * PSYSTEM_PLATFORM_BINARY_INFORMATION;
// private
typedef struct _SYSTEM_POLICY_INFORMATION
{
PVOID InputData;
PVOID OutputData;
ULONG InputDataSize;
ULONG OutputDataSize;
ULONG Version;
} SYSTEM_POLICY_INFORMATION, * PSYSTEM_POLICY_INFORMATION;
// private
typedef struct _SYSTEM_HYPERVISOR_PROCESSOR_COUNT_INFORMATION
{
ULONG NumberOfLogicalProcessors;
ULONG NumberOfCores;
} SYSTEM_HYPERVISOR_PROCESSOR_COUNT_INFORMATION, * PSYSTEM_HYPERVISOR_PROCESSOR_COUNT_INFORMATION;
// private
typedef struct _SYSTEM_DEVICE_DATA_INFORMATION
{
UNICODE_STRING DeviceId;
UNICODE_STRING DataName;
ULONG DataType;
ULONG DataBufferLength;
PVOID DataBuffer;
} SYSTEM_DEVICE_DATA_INFORMATION, * PSYSTEM_DEVICE_DATA_INFORMATION;
// private
typedef struct _PHYSICAL_CHANNEL_RUN
{
ULONG NodeNumber;
ULONG ChannelNumber;
ULONGLONG BasePage;
ULONGLONG PageCount;
ULONG Flags;
} PHYSICAL_CHANNEL_RUN, * PPHYSICAL_CHANNEL_RUN;
// private
typedef struct _SYSTEM_MEMORY_TOPOLOGY_INFORMATION
{
ULONGLONG NumberOfRuns;
ULONG NumberOfNodes;
ULONG NumberOfChannels;
PHYSICAL_CHANNEL_RUN Run[1];
} SYSTEM_MEMORY_TOPOLOGY_INFORMATION, * PSYSTEM_MEMORY_TOPOLOGY_INFORMATION;
// private
typedef struct _SYSTEM_MEMORY_CHANNEL_INFORMATION
{
ULONG ChannelNumber;
ULONG ChannelHeatIndex;
ULONGLONG TotalPageCount;
ULONGLONG ZeroPageCount;
ULONGLONG FreePageCount;
ULONGLONG StandbyPageCount;
} SYSTEM_MEMORY_CHANNEL_INFORMATION, * PSYSTEM_MEMORY_CHANNEL_INFORMATION;
// private
typedef struct _SYSTEM_BOOT_LOGO_INFORMATION
{
ULONG Flags;
ULONG BitmapOffset;
} SYSTEM_BOOT_LOGO_INFORMATION, * PSYSTEM_BOOT_LOGO_INFORMATION;
// private
typedef struct _SYSTEM_PROCESSOR_PERFORMANCE_INFORMATION_EX
{
LARGE_INTEGER IdleTime;
LARGE_INTEGER KernelTime;
LARGE_INTEGER UserTime;
LARGE_INTEGER DpcTime;
LARGE_INTEGER InterruptTime;
ULONG InterruptCount;
ULONG Spare0;
LARGE_INTEGER AvailableTime;
LARGE_INTEGER Spare1;
LARGE_INTEGER Spare2;
} SYSTEM_PROCESSOR_PERFORMANCE_INFORMATION_EX, * PSYSTEM_PROCESSOR_PERFORMANCE_INFORMATION_EX;
// private
typedef struct _SYSTEM_SECUREBOOT_POLICY_INFORMATION
{
GUID PolicyPublisher;
ULONG PolicyVersion;
ULONG PolicyOptions;
} SYSTEM_SECUREBOOT_POLICY_INFORMATION, * PSYSTEM_SECUREBOOT_POLICY_INFORMATION;
// private
typedef struct _SYSTEM_PAGEFILE_INFORMATION_EX
{
union // HACK union declaration for convenience (dmex)
{
SYSTEM_PAGEFILE_INFORMATION Info;
struct
{
ULONG NextEntryOffset;
ULONG TotalSize;
ULONG TotalInUse;
ULONG PeakUsage;
UNICODE_STRING PageFileName;
};
};
ULONG MinimumSize;
ULONG MaximumSize;
} SYSTEM_PAGEFILE_INFORMATION_EX, * PSYSTEM_PAGEFILE_INFORMATION_EX;
// private
typedef struct _SYSTEM_SECUREBOOT_INFORMATION
{
BOOLEAN SecureBootEnabled;
BOOLEAN SecureBootCapable;
} SYSTEM_SECUREBOOT_INFORMATION, * PSYSTEM_SECUREBOOT_INFORMATION;
// private
typedef struct _PROCESS_DISK_COUNTERS
{
ULONGLONG BytesRead;
ULONGLONG BytesWritten;
ULONGLONG ReadOperationCount;
ULONGLONG WriteOperationCount;
ULONGLONG FlushOperationCount;
} PROCESS_DISK_COUNTERS, * PPROCESS_DISK_COUNTERS;
// private
typedef union _ENERGY_STATE_DURATION
{
union
{
ULONGLONG Value;
ULONG LastChangeTime;
};
ULONG Duration : 31;
ULONG IsInState : 1;
} ENERGY_STATE_DURATION, * PENERGY_STATE_DURATION;
typedef struct _PROCESS_ENERGY_VALUES
{
ULONGLONG Cycles[4][2];
ULONGLONG DiskEnergy;
ULONGLONG NetworkTailEnergy;
ULONGLONG MBBTailEnergy;
ULONGLONG NetworkTxRxBytes;
ULONGLONG MBBTxRxBytes;
union
{
ENERGY_STATE_DURATION Durations[3];
struct
{
ENERGY_STATE_DURATION ForegroundDuration;
ENERGY_STATE_DURATION DesktopVisibleDuration;
ENERGY_STATE_DURATION PSMForegroundDuration;
};
};
ULONG CompositionRendered;
ULONG CompositionDirtyGenerated;
ULONG CompositionDirtyPropagated;
ULONG Reserved1;
ULONGLONG AttributedCycles[4][2];
ULONGLONG WorkOnBehalfCycles[4][2];
} PROCESS_ENERGY_VALUES, * PPROCESS_ENERGY_VALUES;
typedef struct _TIMELINE_BITMAP
{
ULONGLONG Value;
ULONG EndTime;
ULONG Bitmap;
} TIMELINE_BITMAP, * PTIMELINE_BITMAP;
typedef struct _PROCESS_ENERGY_VALUES_EXTENSION
{
union
{
TIMELINE_BITMAP Timelines[14]; // 9 for REDSTONE2, 14 for REDSTONE3/4/5
struct
{
TIMELINE_BITMAP CpuTimeline;
TIMELINE_BITMAP DiskTimeline;
TIMELINE_BITMAP NetworkTimeline;
TIMELINE_BITMAP MBBTimeline;
TIMELINE_BITMAP ForegroundTimeline;
TIMELINE_BITMAP DesktopVisibleTimeline;
TIMELINE_BITMAP CompositionRenderedTimeline;
TIMELINE_BITMAP CompositionDirtyGeneratedTimeline;
TIMELINE_BITMAP CompositionDirtyPropagatedTimeline;
TIMELINE_BITMAP InputTimeline; // REDSTONE3
TIMELINE_BITMAP AudioInTimeline;
TIMELINE_BITMAP AudioOutTimeline;
TIMELINE_BITMAP DisplayRequiredTimeline;
TIMELINE_BITMAP KeyboardInputTimeline;
};
};
union // REDSTONE3
{
ENERGY_STATE_DURATION Durations[5];
struct
{
ENERGY_STATE_DURATION InputDuration;
ENERGY_STATE_DURATION AudioInDuration;
ENERGY_STATE_DURATION AudioOutDuration;
ENERGY_STATE_DURATION DisplayRequiredDuration;
ENERGY_STATE_DURATION PSMBackgroundDuration;
};
};
ULONG KeyboardInput;
ULONG MouseInput;
} PROCESS_ENERGY_VALUES_EXTENSION, * PPROCESS_ENERGY_VALUES_EXTENSION;
typedef struct _PROCESS_EXTENDED_ENERGY_VALUES
{
PROCESS_ENERGY_VALUES Base;
PROCESS_ENERGY_VALUES_EXTENSION Extension;
} PROCESS_EXTENDED_ENERGY_VALUES, * PPROCESS_EXTENDED_ENERGY_VALUES;
// private
typedef enum _SYSTEM_PROCESS_CLASSIFICATION
{
SystemProcessClassificationNormal,
SystemProcessClassificationSystem,
SystemProcessClassificationSecureSystem,
SystemProcessClassificationMemCompression,
SystemProcessClassificationRegistry, // REDSTONE4
SystemProcessClassificationMaximum
} SYSTEM_PROCESS_CLASSIFICATION;
// private
typedef struct _SYSTEM_PROCESS_INFORMATION_EXTENSION
{
PROCESS_DISK_COUNTERS DiskCounters;
ULONGLONG ContextSwitches;
union
{
ULONG Flags;
struct
{
ULONG HasStrongId : 1;
ULONG Classification : 4; // SYSTEM_PROCESS_CLASSIFICATION
ULONG BackgroundActivityModerated : 1;
ULONG Spare : 26;
};
};
ULONG UserSidOffset;
ULONG PackageFullNameOffset; // since THRESHOLD
PROCESS_ENERGY_VALUES EnergyValues; // since THRESHOLD
ULONG AppIdOffset; // since THRESHOLD
SIZE_T SharedCommitCharge; // since THRESHOLD2
ULONG JobObjectId; // since REDSTONE
ULONG SpareUlong; // since REDSTONE
ULONGLONG ProcessSequenceNumber;
} SYSTEM_PROCESS_INFORMATION_EXTENSION, * PSYSTEM_PROCESS_INFORMATION_EXTENSION;
// private
typedef struct _SYSTEM_PORTABLE_WORKSPACE_EFI_LAUNCHER_INFORMATION
{
BOOLEAN EfiLauncherEnabled;
} SYSTEM_PORTABLE_WORKSPACE_EFI_LAUNCHER_INFORMATION, * PSYSTEM_PORTABLE_WORKSPACE_EFI_LAUNCHER_INFORMATION;
// private
typedef struct _SYSTEM_KERNEL_DEBUGGER_INFORMATION_EX
{
BOOLEAN DebuggerAllowed;
BOOLEAN DebuggerEnabled;
BOOLEAN DebuggerPresent;
} SYSTEM_KERNEL_DEBUGGER_INFORMATION_EX, * PSYSTEM_KERNEL_DEBUGGER_INFORMATION_EX;
// private
typedef struct _SYSTEM_ELAM_CERTIFICATE_INFORMATION
{
HANDLE ElamDriverFile;
} SYSTEM_ELAM_CERTIFICATE_INFORMATION, * PSYSTEM_ELAM_CERTIFICATE_INFORMATION;
// private
typedef struct _SYSTEM_PROCESSOR_FEATURES_INFORMATION
{
ULONGLONG ProcessorFeatureBits;
ULONGLONG Reserved[3];
} SYSTEM_PROCESSOR_FEATURES_INFORMATION, * PSYSTEM_PROCESSOR_FEATURES_INFORMATION;
// private
typedef struct _SYSTEM_MANUFACTURING_INFORMATION
{
ULONG Options;
UNICODE_STRING ProfileName;
} SYSTEM_MANUFACTURING_INFORMATION, * PSYSTEM_MANUFACTURING_INFORMATION;
// private
typedef struct _SYSTEM_ENERGY_ESTIMATION_CONFIG_INFORMATION
{
BOOLEAN Enabled;
} SYSTEM_ENERGY_ESTIMATION_CONFIG_INFORMATION, * PSYSTEM_ENERGY_ESTIMATION_CONFIG_INFORMATION;
// private
typedef struct _HV_DETAILS
{
ULONG Data[4];
} HV_DETAILS, * PHV_DETAILS;
// private
typedef struct _SYSTEM_HYPERVISOR_DETAIL_INFORMATION
{
HV_DETAILS HvVendorAndMaxFunction;
HV_DETAILS HypervisorInterface;
HV_DETAILS HypervisorVersion;
HV_DETAILS HvFeatures;
HV_DETAILS HwFeatures;
HV_DETAILS EnlightenmentInfo;
HV_DETAILS ImplementationLimits;
} SYSTEM_HYPERVISOR_DETAIL_INFORMATION, * PSYSTEM_HYPERVISOR_DETAIL_INFORMATION;
// private
typedef struct _SYSTEM_PROCESSOR_CYCLE_STATS_INFORMATION
{
ULONGLONG Cycles[2][4];
} SYSTEM_PROCESSOR_CYCLE_STATS_INFORMATION, * PSYSTEM_PROCESSOR_CYCLE_STATS_INFORMATION;
// private
typedef struct _SYSTEM_TPM_INFORMATION
{
ULONG Flags;
} SYSTEM_TPM_INFORMATION, * PSYSTEM_TPM_INFORMATION;
// private
typedef struct _SYSTEM_VSM_PROTECTION_INFORMATION
{
BOOLEAN DmaProtectionsAvailable;
BOOLEAN DmaProtectionsInUse;
BOOLEAN HardwareMbecAvailable; // REDSTONE4 (CVE-2018-3639)
BOOLEAN ApicVirtualizationAvailable; // 20H1
} SYSTEM_VSM_PROTECTION_INFORMATION, * PSYSTEM_VSM_PROTECTION_INFORMATION;
// private
typedef struct _SYSTEM_KERNEL_DEBUGGER_FLAGS
{
BOOLEAN KernelDebuggerIgnoreUmExceptions;
} SYSTEM_KERNEL_DEBUGGER_FLAGS, * PSYSTEM_KERNEL_DEBUGGER_FLAGS;
// private
typedef struct _SYSTEM_CODEINTEGRITYPOLICY_INFORMATION
{
ULONG Options;
ULONG HVCIOptions;
ULONGLONG Version;
GUID PolicyGuid;
} SYSTEM_CODEINTEGRITYPOLICY_INFORMATION, * PSYSTEM_CODEINTEGRITYPOLICY_INFORMATION;
// private
typedef struct _SYSTEM_ISOLATED_USER_MODE_INFORMATION
{
BOOLEAN SecureKernelRunning : 1;
BOOLEAN HvciEnabled : 1;
BOOLEAN HvciStrictMode : 1;
BOOLEAN DebugEnabled : 1;
BOOLEAN FirmwarePageProtection : 1;
BOOLEAN EncryptionKeyAvailable : 1;
BOOLEAN SpareFlags : 2;
BOOLEAN TrustletRunning : 1;
BOOLEAN HvciDisableAllowed : 1;
BOOLEAN SpareFlags2 : 6;
BOOLEAN Spare0[6];
ULONGLONG Spare1;
} SYSTEM_ISOLATED_USER_MODE_INFORMATION, * PSYSTEM_ISOLATED_USER_MODE_INFORMATION;
// private
typedef struct _SYSTEM_SINGLE_MODULE_INFORMATION
{
PVOID TargetModuleAddress;
RTL_PROCESS_MODULE_INFORMATION_EX ExInfo;
} SYSTEM_SINGLE_MODULE_INFORMATION, * PSYSTEM_SINGLE_MODULE_INFORMATION;
// private
typedef struct _SYSTEM_INTERRUPT_CPU_SET_INFORMATION
{
ULONG Gsiv;
USHORT Group;
ULONGLONG CpuSets;
} SYSTEM_INTERRUPT_CPU_SET_INFORMATION, * PSYSTEM_INTERRUPT_CPU_SET_INFORMATION;
// private
typedef struct _SYSTEM_SECUREBOOT_POLICY_FULL_INFORMATION
{
SYSTEM_SECUREBOOT_POLICY_INFORMATION PolicyInformation;
ULONG PolicySize;
UCHAR Policy[1];
} SYSTEM_SECUREBOOT_POLICY_FULL_INFORMATION, * PSYSTEM_SECUREBOOT_POLICY_FULL_INFORMATION;
// private
typedef struct _SYSTEM_ROOT_SILO_INFORMATION
{
ULONG NumberOfSilos;
ULONG SiloIdList[1];
} SYSTEM_ROOT_SILO_INFORMATION, * PSYSTEM_ROOT_SILO_INFORMATION;
// private
typedef struct _SYSTEM_CPU_SET_TAG_INFORMATION
{
ULONGLONG Tag;
ULONGLONG CpuSets[1];
} SYSTEM_CPU_SET_TAG_INFORMATION, * PSYSTEM_CPU_SET_TAG_INFORMATION;
// private
typedef struct _SYSTEM_SECURE_KERNEL_HYPERGUARD_PROFILE_INFORMATION
{
ULONG ExtentCount;
ULONG ValidStructureSize;
ULONG NextExtentIndex;
ULONG ExtentRestart;
ULONG CycleCount;
ULONG TimeoutCount;
ULONGLONG CycleTime;
ULONGLONG CycleTimeMax;
ULONGLONG ExtentTime;
ULONG ExtentTimeIndex;
ULONG ExtentTimeMaxIndex;
ULONGLONG ExtentTimeMax;
ULONGLONG HyperFlushTimeMax;
ULONGLONG TranslateVaTimeMax;
ULONGLONG DebugExemptionCount;
ULONGLONG TbHitCount;
ULONGLONG TbMissCount;
ULONGLONG VinaPendingYield;
ULONGLONG HashCycles;
ULONG HistogramOffset;
ULONG HistogramBuckets;
ULONG HistogramShift;
ULONG Reserved1;
ULONGLONG PageNotPresentCount;
} SYSTEM_SECURE_KERNEL_HYPERGUARD_PROFILE_INFORMATION, * PSYSTEM_SECURE_KERNEL_HYPERGUARD_PROFILE_INFORMATION;
// private
typedef struct _SYSTEM_SECUREBOOT_PLATFORM_MANIFEST_INFORMATION
{
ULONG PlatformManifestSize;
UCHAR PlatformManifest[1];
} SYSTEM_SECUREBOOT_PLATFORM_MANIFEST_INFORMATION, * PSYSTEM_SECUREBOOT_PLATFORM_MANIFEST_INFORMATION;
// private
typedef struct _SYSTEM_INTERRUPT_STEERING_INFORMATION_INPUT
{
ULONG Gsiv;
UCHAR ControllerInterrupt;
UCHAR EdgeInterrupt;
UCHAR IsPrimaryInterrupt;
GROUP_AFFINITY TargetAffinity;
} SYSTEM_INTERRUPT_STEERING_INFORMATION_INPUT, * PSYSTEM_INTERRUPT_STEERING_INFORMATION_INPUT;
// private
typedef struct _SYSTEM_MEMORY_USAGE_INFORMATION
{
ULONGLONG TotalPhysicalBytes;
ULONGLONG AvailableBytes;
LONGLONG ResidentAvailableBytes;
ULONGLONG CommittedBytes;
ULONGLONG SharedCommittedBytes;
ULONGLONG CommitLimitBytes;
ULONGLONG PeakCommitmentBytes;
} SYSTEM_MEMORY_USAGE_INFORMATION, * PSYSTEM_MEMORY_USAGE_INFORMATION;
// private
typedef struct _SYSTEM_CODEINTEGRITY_CERTIFICATE_INFORMATION
{
HANDLE ImageFile;
ULONG Type; // REDSTONE4
} SYSTEM_CODEINTEGRITY_CERTIFICATE_INFORMATION, * PSYSTEM_CODEINTEGRITY_CERTIFICATE_INFORMATION;
// private
typedef struct _SYSTEM_PHYSICAL_MEMORY_INFORMATION
{
ULONGLONG TotalPhysicalBytes;
ULONGLONG LowestPhysicalAddress;
ULONGLONG HighestPhysicalAddress;
} SYSTEM_PHYSICAL_MEMORY_INFORMATION, * PSYSTEM_PHYSICAL_MEMORY_INFORMATION;
// private
typedef enum _SYSTEM_ACTIVITY_MODERATION_STATE
{
SystemActivityModerationStateSystemManaged,
SystemActivityModerationStateUserManagedAllowThrottling,
SystemActivityModerationStateUserManagedDisableThrottling,
MaxSystemActivityModerationState
} SYSTEM_ACTIVITY_MODERATION_STATE;
// private - REDSTONE2
typedef struct _SYSTEM_ACTIVITY_MODERATION_EXE_STATE // REDSTONE3: Renamed SYSTEM_ACTIVITY_MODERATION_INFO
{
UNICODE_STRING ExePathNt;
SYSTEM_ACTIVITY_MODERATION_STATE ModerationState;
} SYSTEM_ACTIVITY_MODERATION_EXE_STATE, * PSYSTEM_ACTIVITY_MODERATION_EXE_STATE;
typedef enum _SYSTEM_ACTIVITY_MODERATION_APP_TYPE
{
SystemActivityModerationAppTypeClassic,
SystemActivityModerationAppTypePackaged,
MaxSystemActivityModerationAppType
} SYSTEM_ACTIVITY_MODERATION_APP_TYPE;
// private - REDSTONE3
typedef struct _SYSTEM_ACTIVITY_MODERATION_INFO
{
UNICODE_STRING Identifier;
SYSTEM_ACTIVITY_MODERATION_STATE ModerationState;
SYSTEM_ACTIVITY_MODERATION_APP_TYPE AppType;
} SYSTEM_ACTIVITY_MODERATION_INFO, * PSYSTEM_ACTIVITY_MODERATION_INFO;
// private
typedef struct _SYSTEM_ACTIVITY_MODERATION_USER_SETTINGS
{
HANDLE UserKeyHandle;
} SYSTEM_ACTIVITY_MODERATION_USER_SETTINGS, * PSYSTEM_ACTIVITY_MODERATION_USER_SETTINGS;
// private
typedef struct _SYSTEM_CODEINTEGRITY_UNLOCK_INFORMATION
{
union
{
ULONG Flags;
struct
{
ULONG Locked : 1;
ULONG UnlockApplied : 1; // Unlockable field removed 19H1
ULONG UnlockIdValid : 1;
ULONG Reserved : 29;
};
};
UCHAR UnlockId[32]; // REDSTONE4
} SYSTEM_CODEINTEGRITY_UNLOCK_INFORMATION, * PSYSTEM_CODEINTEGRITY_UNLOCK_INFORMATION;
// private
typedef struct _SYSTEM_FLUSH_INFORMATION
{
ULONG SupportedFlushMethods;
ULONG ProcessorCacheFlushSize;
ULONGLONG SystemFlushCapabilities;
ULONGLONG Reserved[2];
} SYSTEM_FLUSH_INFORMATION, * PSYSTEM_FLUSH_INFORMATION;
// private
typedef struct _SYSTEM_WRITE_CONSTRAINT_INFORMATION
{
ULONG WriteConstraintPolicy;
ULONG Reserved;
} SYSTEM_WRITE_CONSTRAINT_INFORMATION, * PSYSTEM_WRITE_CONSTRAINT_INFORMATION;
// private
typedef struct _SYSTEM_KERNEL_VA_SHADOW_INFORMATION
{
union
{
ULONG KvaShadowFlags;
struct
{
ULONG KvaShadowEnabled : 1;
ULONG KvaShadowUserGlobal : 1;
ULONG KvaShadowPcid : 1;
ULONG KvaShadowInvpcid : 1;
ULONG KvaShadowRequired : 1; // REDSTONE4
ULONG KvaShadowRequiredAvailable : 1;
ULONG InvalidPteBit : 6;
ULONG L1DataCacheFlushSupported : 1;
ULONG L1TerminalFaultMitigationPresent : 1;
ULONG Reserved : 18;
};
};
} SYSTEM_KERNEL_VA_SHADOW_INFORMATION, * PSYSTEM_KERNEL_VA_SHADOW_INFORMATION;
// private
typedef struct _SYSTEM_CODEINTEGRITYVERIFICATION_INFORMATION
{
HANDLE FileHandle;
ULONG ImageSize;
PVOID Image;
} SYSTEM_CODEINTEGRITYVERIFICATION_INFORMATION, * PSYSTEM_CODEINTEGRITYVERIFICATION_INFORMATION;
// private
typedef struct _SYSTEM_HYPERVISOR_SHARED_PAGE_INFORMATION
{
PVOID HypervisorSharedUserVa;
} SYSTEM_HYPERVISOR_SHARED_PAGE_INFORMATION, * PSYSTEM_HYPERVISOR_SHARED_PAGE_INFORMATION;
// private
typedef struct _SYSTEM_FIRMWARE_PARTITION_INFORMATION
{
UNICODE_STRING FirmwarePartition;
} SYSTEM_FIRMWARE_PARTITION_INFORMATION, * PSYSTEM_FIRMWARE_PARTITION_INFORMATION;
// private
typedef struct _SYSTEM_SPECULATION_CONTROL_INFORMATION
{
union
{
ULONG Flags;
struct
{
ULONG BpbEnabled : 1;
ULONG BpbDisabledSystemPolicy : 1;
ULONG BpbDisabledNoHardwareSupport : 1;
ULONG SpecCtrlEnumerated : 1;
ULONG SpecCmdEnumerated : 1;
ULONG IbrsPresent : 1;
ULONG StibpPresent : 1;
ULONG SmepPresent : 1;
ULONG SpeculativeStoreBypassDisableAvailable : 1; // REDSTONE4 (CVE-2018-3639)
ULONG SpeculativeStoreBypassDisableSupported : 1;
ULONG SpeculativeStoreBypassDisabledSystemWide : 1;
ULONG SpeculativeStoreBypassDisabledKernel : 1;
ULONG SpeculativeStoreBypassDisableRequired : 1;
ULONG BpbDisabledKernelToUser : 1;
ULONG SpecCtrlRetpolineEnabled : 1;
ULONG SpecCtrlImportOptimizationEnabled : 1;
ULONG EnhancedIbrs : 1; // since 19H1
ULONG HvL1tfStatusAvailable : 1;
ULONG HvL1tfProcessorNotAffected : 1;
ULONG HvL1tfMigitationEnabled : 1;
ULONG HvL1tfMigitationNotEnabled_Hardware : 1;
ULONG HvL1tfMigitationNotEnabled_LoadOption : 1;
ULONG HvL1tfMigitationNotEnabled_CoreScheduler : 1;
ULONG EnhancedIbrsReported : 1;
ULONG MdsHardwareProtected : 1; // since 19H2
ULONG MbClearEnabled : 1;
ULONG MbClearReported : 1;
ULONG Reserved : 5;
};
};
} SYSTEM_SPECULATION_CONTROL_INFORMATION, * PSYSTEM_SPECULATION_CONTROL_INFORMATION;
// private
typedef struct _SYSTEM_DMA_GUARD_POLICY_INFORMATION
{
BOOLEAN DmaGuardPolicyEnabled;
} SYSTEM_DMA_GUARD_POLICY_INFORMATION, * PSYSTEM_DMA_GUARD_POLICY_INFORMATION;
// private
typedef struct _SYSTEM_ENCLAVE_LAUNCH_CONTROL_INFORMATION
{
UCHAR EnclaveLaunchSigner[32];
} SYSTEM_ENCLAVE_LAUNCH_CONTROL_INFORMATION, * PSYSTEM_ENCLAVE_LAUNCH_CONTROL_INFORMATION;
// private
typedef struct _SYSTEM_WORKLOAD_ALLOWED_CPU_SET_INFORMATION
{
ULONGLONG WorkloadClass;
ULONGLONG CpuSets[1];
} SYSTEM_WORKLOAD_ALLOWED_CPU_SET_INFORMATION, * PSYSTEM_WORKLOAD_ALLOWED_CPU_SET_INFORMATION;
// private
typedef struct _SYSTEM_SECURITY_MODEL_INFORMATION
{
union
{
ULONG SecurityModelFlags;
struct
{
ULONG SModeAdminlessEnabled : 1;
ULONG AllowDeviceOwnerProtectionDowngrade : 1;
ULONG Reserved : 30;
};
};
} SYSTEM_SECURITY_MODEL_INFORMATION, * PSYSTEM_SECURITY_MODEL_INFORMATION;
// private
typedef struct _SYSTEM_FEATURE_CONFIGURATION_INFORMATION
{
ULONGLONG ChangeStamp;
struct _RTL_FEATURE_CONFIGURATION* Configuration; // see ntrtl.h for types
} SYSTEM_FEATURE_CONFIGURATION_INFORMATION, * PSYSTEM_FEATURE_CONFIGURATION_INFORMATION;
// private
typedef struct _SYSTEM_FEATURE_CONFIGURATION_SECTIONS_INFORMATION_ENTRY
{
ULONGLONG ChangeStamp;
PVOID Section;
ULONGLONG Size;
} SYSTEM_FEATURE_CONFIGURATION_SECTIONS_INFORMATION_ENTRY, * PSYSTEM_FEATURE_CONFIGURATION_SECTIONS_INFORMATION_ENTRY;
// private
typedef struct _SYSTEM_FEATURE_CONFIGURATION_SECTIONS_INFORMATION
{
ULONGLONG OverallChangeStamp;
SYSTEM_FEATURE_CONFIGURATION_SECTIONS_INFORMATION_ENTRY Descriptors[3];
} SYSTEM_FEATURE_CONFIGURATION_SECTIONS_INFORMATION, * PSYSTEM_FEATURE_CONFIGURATION_SECTIONS_INFORMATION;
// private
typedef union _SECURE_SPECULATION_CONTROL_INFORMATION
{
ULONG KvaShadowSupported : 1;
ULONG KvaShadowEnabled : 1;
ULONG KvaShadowUserGlobal : 1;
ULONG KvaShadowPcid : 1;
ULONG MbClearEnabled : 1;
ULONG L1TFMitigated : 1; // since 20H2
ULONG BpbEnabled : 1;
ULONG IbrsPresent : 1;
ULONG EnhancedIbrs : 1;
ULONG StibpPresent : 1;
ULONG SsbdSupported : 1;
ULONG SsbdRequired : 1;
ULONG BpbKernelToUser : 1;
ULONG BpbUserToKernel : 1;
ULONG Reserved : 18;
} SECURE_SPECULATION_CONTROL_INFORMATION, * PSECURE_SPECULATION_CONTROL_INFORMATION;
// private
typedef struct _SYSTEM_FIRMWARE_RAMDISK_INFORMATION
{
ULONG Version;
ULONG BlockSize;
ULONG_PTR BaseAddress;
SIZE_T Size;
} SYSTEM_FIRMWARE_RAMDISK_INFORMATION, * PSYSTEM_FIRMWARE_RAMDISK_INFORMATION;
// private
typedef struct _SYSTEM_SHADOW_STACK_INFORMATION
{
union
{
ULONG Flags;
struct
{
ULONG CetCapable : 1;
ULONG UserCetAllowed : 1;
ULONG ReservedForUserCet : 6;
ULONG KernelCetEnabled : 1;
ULONG ReservedForKernelCet : 7;
ULONG Reserved : 16;
};
};
} SYSTEM_SHADOW_STACK_INFORMATION, * PSYSTEM_SHADOW_STACK_INFORMATION;
// private
typedef union _SYSTEM_BUILD_VERSION_INFORMATION_FLAGS
{
ULONG Value32;
struct
{
ULONG IsTopLevel : 1;
ULONG IsChecked : 1;
};
} SYSTEM_BUILD_VERSION_INFORMATION_FLAGS, * PSYSTEM_BUILD_VERSION_INFORMATION_FLAGS;
// private
typedef struct _SYSTEM_BUILD_VERSION_INFORMATION
{
USHORT LayerNumber;
USHORT LayerCount;
ULONG OsMajorVersion;
ULONG OsMinorVersion;
ULONG NtBuildNumber;
ULONG NtBuildQfe;
UCHAR LayerName[128];
UCHAR NtBuildBranch[128];
UCHAR NtBuildLab[128];
UCHAR NtBuildLabEx[128];
UCHAR NtBuildStamp[26];
UCHAR NtBuildArch[16];
SYSTEM_BUILD_VERSION_INFORMATION_FLAGS Flags;
} SYSTEM_BUILD_VERSION_INFORMATION, * PSYSTEM_BUILD_VERSION_INFORMATION;
// private
typedef struct _SYSTEM_POOL_LIMIT_MEM_INFO
{
ULONGLONG MemoryLimit;
ULONGLONG NotificationLimit;
} SYSTEM_POOL_LIMIT_MEM_INFO, * PSYSTEM_POOL_LIMIT_MEM_INFO;
// private
typedef struct _SYSTEM_POOL_LIMIT_INFO
{
ULONG PoolTag;
SYSTEM_POOL_LIMIT_MEM_INFO MemLimits[2];
WNF_STATE_NAME NotificationHandle;
} SYSTEM_POOL_LIMIT_INFO, * PSYSTEM_POOL_LIMIT_INFO;
// private
typedef struct _SYSTEM_POOL_LIMIT_INFORMATION
{
ULONG Version;
ULONG EntryCount;
SYSTEM_POOL_LIMIT_INFO LimitEntries[1];
} SYSTEM_POOL_LIMIT_INFORMATION, * PSYSTEM_POOL_LIMIT_INFORMATION;
// private
//typedef struct _SYSTEM_POOL_ZEROING_INFORMATION
//{
// BOOLEAN PoolZeroingSupportPresent;
//} SYSTEM_POOL_ZEROING_INFORMATION, *PSYSTEM_POOL_ZEROING_INFORMATION;
// private
typedef struct _HV_MINROOT_NUMA_LPS
{
ULONG NodeIndex;
ULONG_PTR Mask[16];
} HV_MINROOT_NUMA_LPS, * PHV_MINROOT_NUMA_LPS;
// private
typedef enum _SYSTEM_IOMMU_STATE
{
IommuStateBlock,
IommuStateUnblock
} SYSTEM_IOMMU_STATE;
// private
typedef struct _SYSTEM_IOMMU_STATE_INFORMATION
{
SYSTEM_IOMMU_STATE State;
PVOID Pdo;
} SYSTEM_IOMMU_STATE_INFORMATION, * PSYSTEM_IOMMU_STATE_INFORMATION;
// private
typedef struct _SYSTEM_HYPERVISOR_MINROOT_INFORMATION
{
ULONG NumProc;
ULONG RootProc;
ULONG RootProcNumaNodesSpecified;
USHORT RootProcNumaNodes[64];
ULONG RootProcPerCore;
ULONG RootProcPerNode;
ULONG RootProcNumaNodesLpsSpecified;
HV_MINROOT_NUMA_LPS RootProcNumaNodeLps[64];
} SYSTEM_HYPERVISOR_MINROOT_INFORMATION, * PSYSTEM_HYPERVISOR_MINROOT_INFORMATION;
// private
typedef struct _SYSTEM_HYPERVISOR_BOOT_PAGES_INFORMATION
{
ULONG RangeCount;
ULONG_PTR RangeArray[1];
} SYSTEM_HYPERVISOR_BOOT_PAGES_INFORMATION, * PSYSTEM_HYPERVISOR_BOOT_PAGES_INFORMATION;
// private
typedef struct _SYSTEM_POINTER_AUTH_INFORMATION
{
union
{
USHORT SupportedFlags;
struct
{
USHORT AddressAuthSupported : 1;
USHORT AddressAuthQarma : 1;
USHORT GenericAuthSupported : 1;
USHORT GenericAuthQarma : 1;
USHORT SupportedReserved : 12;
};
};
union
{
USHORT EnabledFlags;
struct
{
USHORT UserPerProcessIpAuthEnabled : 1;
USHORT UserGlobalIpAuthEnabled : 1;
USHORT UserEnabledReserved : 6;
USHORT KernelIpAuthEnabled : 1;
USHORT KernelEnabledReserved : 7;
};
};
} SYSTEM_POINTER_AUTH_INFORMATION, * PSYSTEM_POINTER_AUTH_INFORMATION;
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
NtQuerySystemInformation(
_In_ SYSTEM_INFORMATION_CLASS SystemInformationClass,
_Out_writes_bytes_opt_(SystemInformationLength) PVOID SystemInformation,
_In_ ULONG SystemInformationLength,
_Out_opt_ PULONG ReturnLength
);
_IRQL_requires_max_(PASSIVE_LEVEL)
NTSYSAPI
NTSTATUS
NTAPI
ZwQuerySystemInformation(
_In_ SYSTEM_INFORMATION_CLASS SystemInformationClass,
_Out_writes_bytes_opt_(SystemInformationLength) PVOID SystemInformation,
_In_ ULONG SystemInformationLength,
_Out_opt_ PULONG ReturnLength
);
#if (NTDDI_VERSION >= NTDDI_WIN7)
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
NtQuerySystemInformationEx(
_In_ SYSTEM_INFORMATION_CLASS SystemInformationClass,
_In_reads_bytes_(InputBufferLength) PVOID InputBuffer,
_In_ ULONG InputBufferLength,
_Out_writes_bytes_opt_(SystemInformationLength) PVOID SystemInformation,
_In_ ULONG SystemInformationLength,
_Out_opt_ PULONG ReturnLength
);
_IRQL_requires_max_(PASSIVE_LEVEL)
NTSYSAPI
NTSTATUS
NTAPI
ZwQuerySystemInformationEx(
_In_ SYSTEM_INFORMATION_CLASS SystemInformationClass,
_In_reads_bytes_(InputBufferLength) PVOID InputBuffer,
_In_ ULONG InputBufferLength,
_Out_writes_bytes_opt_(SystemInformationLength) PVOID SystemInformation,
_In_ ULONG SystemInformationLength,
_Out_opt_ PULONG ReturnLength
);
#endif
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
NtSetSystemInformation(
_In_ SYSTEM_INFORMATION_CLASS SystemInformationClass,
_In_reads_bytes_opt_(SystemInformationLength) PVOID SystemInformation,
_In_ ULONG SystemInformationLength
);
_IRQL_requires_max_(PASSIVE_LEVEL)
NTSYSAPI
NTSTATUS
NTAPI
ZwSetSystemInformation(
_In_ SYSTEM_INFORMATION_CLASS SystemInformationClass,
_In_reads_bytes_opt_(SystemInformationLength) PVOID SystemInformation,
_In_ ULONG SystemInformationLength
);
//
// Define data shared between kernel and user mode.
//
// N.B. User mode has read only access to this data
//
#ifndef _KERNEL_MODE
#define PROCESSOR_FEATURE_MAX 64
typedef enum _ALTERNATIVE_ARCHITECTURE_TYPE
{
StandardDesign, // None == 0 == standard design
NEC98x86, // NEC PC98xx series on X86
EndAlternatives // past end of known alternatives
} ALTERNATIVE_ARCHITECTURE_TYPE;
//
// WARNING: This structure must have exactly the same layout for 32- and
// 64-bit systems. The layout of this structure cannot change and new
// fields can only be added at the end of the structure (unless a gap
// can be exploited). Deprecated fields cannot be deleted. Platform
// specific fields are included on all systems.
//
// Layout exactness is required for Wow64 support of 32-bit applications
// on Win64 systems.
//
// The layout itself cannot change since this structure has been exported
// in ntddk, ntifs.h, and nthal.h for some time.
//
// Define NX support policy values.
//
#define NX_SUPPORT_POLICY_ALWAYSOFF 0
#define NX_SUPPORT_POLICY_ALWAYSON 1
#define NX_SUPPORT_POLICY_OPTIN 2
#define NX_SUPPORT_POLICY_OPTOUT 3
//
// SEH chain validation policies.
//
// N.B. These constants must not be changed because the ldr relies on their
// semantic meaning.
//
#define SEH_VALIDATION_POLICY_ON 0
#define SEH_VALIDATION_POLICY_OFF 1
#define SEH_VALIDATION_POLICY_TELEMETRY 2
#define SEH_VALIDATION_POLICY_DEFER 3
//
// Global shared data flags and manipulation macros.
//
#define SHARED_GLOBAL_FLAGS_ERROR_PORT_V 0x0
#define SHARED_GLOBAL_FLAGS_ERROR_PORT \
(1UL << SHARED_GLOBAL_FLAGS_ERROR_PORT_V)
#define SHARED_GLOBAL_FLAGS_ELEVATION_ENABLED_V 0x1
#define SHARED_GLOBAL_FLAGS_ELEVATION_ENABLED \
(1UL << SHARED_GLOBAL_FLAGS_ELEVATION_ENABLED_V)
#define SHARED_GLOBAL_FLAGS_VIRT_ENABLED_V 0x2
#define SHARED_GLOBAL_FLAGS_VIRT_ENABLED \
(1UL << SHARED_GLOBAL_FLAGS_VIRT_ENABLED_V)
#define SHARED_GLOBAL_FLAGS_INSTALLER_DETECT_ENABLED_V 0x3
#define SHARED_GLOBAL_FLAGS_INSTALLER_DETECT_ENABLED \
(1UL << SHARED_GLOBAL_FLAGS_INSTALLER_DETECT_ENABLED_V)
#define SHARED_GLOBAL_FLAGS_LKG_ENABLED_V 0x4
#define SHARED_GLOBAL_FLAGS_LKG_ENABLED \
(1UL << SHARED_GLOBAL_FLAGS_LKG_ENABLED_V)
#define SHARED_GLOBAL_FLAGS_DYNAMIC_PROC_ENABLED_V 0x5
#define SHARED_GLOBAL_FLAGS_DYNAMIC_PROC_ENABLED \
(1UL << SHARED_GLOBAL_FLAGS_DYNAMIC_PROC_ENABLED_V)
#define SHARED_GLOBAL_FLAGS_CONSOLE_BROKER_ENABLED_V 0x6
#define SHARED_GLOBAL_FLAGS_CONSOLE_BROKER_ENABLED \
(1UL << SHARED_GLOBAL_FLAGS_CONSOLE_BROKER_ENABLED_V)
#define SHARED_GLOBAL_FLAGS_SECURE_BOOT_ENABLED_V 0x7
#define SHARED_GLOBAL_FLAGS_SECURE_BOOT_ENABLED \
(1UL << SHARED_GLOBAL_FLAGS_SECURE_BOOT_ENABLED_V)
#define SHARED_GLOBAL_FLAGS_MULTI_SESSION_SKU_V 0x8
#define SHARED_GLOBAL_FLAGS_MULTI_SESSION_SKU \
(1UL << SHARED_GLOBAL_FLAGS_MULTI_SESSION_SKU_V)
#define SHARED_GLOBAL_FLAGS_MULTIUSERS_IN_SESSION_SKU_V 0x9
#define SHARED_GLOBAL_FLAGS_MULTIUSERS_IN_SESSION_SKU \
(1UL << SHARED_GLOBAL_FLAGS_MULTIUSERS_IN_SESSION_SKU_V)
#define SHARED_GLOBAL_FLAGS_STATE_SEPARATION_ENABLED_V 0xA
#define SHARED_GLOBAL_FLAGS_STATE_SEPARATION_ENABLED \
(1UL << SHARED_GLOBAL_FLAGS_STATE_SEPARATION_ENABLED_V)
#define EX_INIT_BITS(Flags, Bit) \
*((Flags)) |= (Bit) // Safe to use before concurrently accessible
#define EX_TEST_SET_BIT(Flags, Bit) \
InterlockedBitTestAndSet ((PLONG)(Flags), (Bit))
#define EX_TEST_CLEAR_BIT(Flags, Bit) \
InterlockedBitTestAndReset ((PLONG)(Flags), (Bit))
//
// Define legal values for the SystemCall member.
//
#define SYSTEM_CALL_SYSCALL 0
#define SYSTEM_CALL_INT_2E 1
//
// Define flags for QPC bypass information. None of these flags may be set
// unless bypass is enabled. This is for compat with existing code which
// compares this value to zero to detect bypass enablement.
//
#define SHARED_GLOBAL_FLAGS_QPC_BYPASS_ENABLED (0x01)
#define SHARED_GLOBAL_FLAGS_QPC_BYPASS_USE_HV_PAGE (0x02)
#define SHARED_GLOBAL_FLAGS_QPC_BYPASS_DISABLE_32BIT (0x04)
#define SHARED_GLOBAL_FLAGS_QPC_BYPASS_USE_MFENCE (0x10)
#define SHARED_GLOBAL_FLAGS_QPC_BYPASS_USE_LFENCE (0x20)
#define SHARED_GLOBAL_FLAGS_QPC_BYPASS_A73_ERRATA (0x40)
#define SHARED_GLOBAL_FLAGS_QPC_BYPASS_USE_RDTSCP (0x80)
#include <pshpack4.h>
//@[comment("MVI_tracked")]
typedef struct _KUSER_SHARED_DATA {
//
// Current low 32-bit of tick count and tick count multiplier.
//
// N.B. The tick count is updated each time the clock ticks.
//
ULONG TickCountLowDeprecated;
ULONG TickCountMultiplier;
//
// Current 64-bit interrupt time in 100ns units.
//
volatile KSYSTEM_TIME InterruptTime;
//
// Current 64-bit system time in 100ns units.
//
volatile KSYSTEM_TIME SystemTime;
//
// Current 64-bit time zone bias.
//
volatile KSYSTEM_TIME TimeZoneBias;
//
// Support image magic number range for the host system.
//
// N.B. This is an inclusive range.
//
USHORT ImageNumberLow;
USHORT ImageNumberHigh;
//
// Copy of system root in unicode.
//
// N.B. This field must be accessed via the RtlGetNtSystemRoot API for
// an accurate result.
//
WCHAR NtSystemRoot[260];
//
// Maximum stack trace depth if tracing enabled.
//
ULONG MaxStackTraceDepth;
//
// Crypto exponent value.
//
ULONG CryptoExponent;
//
// Time zone ID.
//
ULONG TimeZoneId;
ULONG LargePageMinimum;
//
// This value controls the AIT Sampling rate.
//
ULONG AitSamplingValue;
//
// This value controls switchback processing.
//
ULONG AppCompatFlag;
//
// Current Kernel Root RNG state seed version
//
ULONGLONG RNGSeedVersion;
//
// This value controls assertion failure handling.
//
ULONG GlobalValidationRunlevel;
volatile LONG TimeZoneBiasStamp;
//
// The shared collective build number undecorated with C or F.
// GetVersionEx hides the real number
//
ULONG NtBuildNumber;
//
// Product type.
//
// N.B. This field must be accessed via the RtlGetNtProductType API for
// an accurate result.
//
NT_PRODUCT_TYPE NtProductType;
BOOLEAN ProductTypeIsValid;
BOOLEAN Reserved0[1];
USHORT NativeProcessorArchitecture;
//
// The NT Version.
//
// N. B. Note that each process sees a version from its PEB, but if the
// process is running with an altered view of the system version,
// the following two fields are used to correctly identify the
// version
//
ULONG NtMajorVersion;
ULONG NtMinorVersion;
//
// Processor features.
//
BOOLEAN ProcessorFeatures[PROCESSOR_FEATURE_MAX];
//
// Reserved fields - do not use.
//
ULONG Reserved1;
ULONG Reserved3;
//
// Time slippage while in debugger.
//
volatile ULONG TimeSlip;
//
// Alternative system architecture, e.g., NEC PC98xx on x86.
//
ALTERNATIVE_ARCHITECTURE_TYPE AlternativeArchitecture;
//
// Boot sequence, incremented for each boot attempt by the OS loader.
//
ULONG BootId;
//
// If the system is an evaluation unit, the following field contains the
// date and time that the evaluation unit expires. A value of 0 indicates
// that there is no expiration. A non-zero value is the UTC absolute time
// that the system expires.
//
LARGE_INTEGER SystemExpirationDate;
//
// Suite support.
//
// N.B. This field must be accessed via the RtlGetSuiteMask API for
// an accurate result.
//
ULONG SuiteMask;
//
// TRUE if a kernel debugger is connected/enabled.
//
BOOLEAN KdDebuggerEnabled;
//
// Mitigation policies.
//
union
{
UCHAR MitigationPolicies;
struct
{
UCHAR NXSupportPolicy : 2;
UCHAR SEHValidationPolicy : 2;
UCHAR CurDirDevicesSkippedForDlls : 2;
UCHAR Reserved : 2;
};
};
//
// Measured duration of a single processor yield, in cycles. This is used by
// lock packages to determine how many times to spin waiting for a state
// change before blocking.
//
USHORT CyclesPerYield;
//
// Current console session Id. Always zero on non-TS systems.
//
// N.B. This field must be accessed via the RtlGetActiveConsoleId API for an
// accurate result.
//
volatile ULONG ActiveConsoleId;
//
// Force-dismounts cause handles to become invalid. Rather than always
// probe handles, a serial number of dismounts is maintained that clients
// can use to see if they need to probe handles.
//
volatile ULONG DismountCount;
//
// This field indicates the status of the 64-bit COM+ package on the
// system. It indicates whether the Itermediate Language (IL) COM+
// images need to use the 64-bit COM+ runtime or the 32-bit COM+ runtime.
//
ULONG ComPlusPackage;
//
// Time in tick count for system-wide last user input across all terminal
// sessions. For MP performance, it is not updated all the time (e.g. once
// a minute per session). It is used for idle detection.
//
ULONG LastSystemRITEventTickCount;
//
// Number of physical pages in the system. This can dynamically change as
// physical memory can be added or removed from a running system.
//
ULONG NumberOfPhysicalPages;
//
// True if the system was booted in safe boot mode.
//
BOOLEAN SafeBootMode;
//
// Virtualization flags
//
union {
UCHAR VirtualizationFlags;
#if defined(_ARM64_)
//
// Keep in sync with arc.w
//
struct {
UCHAR ArchStartedInEl2 : 1;
UCHAR QcSlIsSupported : 1;
UCHAR : 6;
};
#endif // _ARM64_
};
//
// Reserved (available for reuse).
//
UCHAR Reserved12[2];
//
// This is a packed bitfield that contains various flags concerning
// the system state. They must be manipulated using interlocked
// operations.
//
// N.B. DbgMultiSessionSku must be accessed via the RtlIsMultiSessionSku
// API for an accurate result
//
union {
ULONG SharedDataFlags;
struct {
//
// The following bit fields are for the debugger only. Do not use.
// Use the bit definitions instead.
//
ULONG DbgErrorPortPresent : 1;
ULONG DbgElevationEnabled : 1;
ULONG DbgVirtEnabled : 1;
ULONG DbgInstallerDetectEnabled : 1;
ULONG DbgLkgEnabled : 1;
ULONG DbgDynProcessorEnabled : 1;
ULONG DbgConsoleBrokerEnabled : 1;
ULONG DbgSecureBootEnabled : 1;
ULONG DbgMultiSessionSku : 1;
ULONG DbgMultiUsersInSessionSku : 1;
ULONG DbgStateSeparationEnabled : 1;
ULONG SpareBits : 21;
} DUMMYSTRUCTNAME2;
} DUMMYUNIONNAME2;
ULONG DataFlagsPad[1];
//
// Depending on the processor, the code for fast system call will differ,
// Stub code is provided pointers below to access the appropriate code.
//
// N.B. The following field is only used on 32-bit systems.
//
ULONGLONG TestRetInstruction;
LONGLONG QpcFrequency;
//
// On AMD64, this value is initialized to a nonzero value if the system
// operates with an altered view of the system service call mechanism.
//
ULONG SystemCall;
//
// Reserved field - do not use. Used to be UserCetAvailableEnvironments.
//
ULONG Reserved2;
//
// Reserved, available for reuse.
//
ULONGLONG SystemCallPad[2];
//
// The 64-bit tick count.
//
union {
volatile KSYSTEM_TIME TickCount;
volatile ULONG64 TickCountQuad;
struct {
ULONG ReservedTickCountOverlay[3];
ULONG TickCountPad[1];
} DUMMYSTRUCTNAME;
} DUMMYUNIONNAME3;
//
// Cookie for encoding pointers system wide.
//
ULONG Cookie;
ULONG CookiePad[1];
//
// Client id of the process having the focus in the current
// active console session id.
//
// N.B. This field must be accessed via the
// RtlGetConsoleSessionForegroundProcessId API for an accurate result.
//
LONGLONG ConsoleSessionForegroundProcessId;
//
// N.B. The following data is used to implement the precise time
// services. It is aligned on a 64-byte cache-line boundary and
// arranged in the order of typical accesses.
//
// Placeholder for the (internal) time update lock.
//
ULONGLONG TimeUpdateLock;
//
// The performance counter value used to establish the current system time.
//
ULONGLONG BaselineSystemTimeQpc;
//
// The performance counter value used to compute the last interrupt time.
//
ULONGLONG BaselineInterruptTimeQpc;
//
// The scaled number of system time seconds represented by a single
// performance count (this value may vary to achieve time synchronization).
//
ULONGLONG QpcSystemTimeIncrement;
//
// The scaled number of interrupt time seconds represented by a single
// performance count (this value is constant after the system is booted).
//
ULONGLONG QpcInterruptTimeIncrement;
//
// The scaling shift count applied to the performance counter system time
// increment.
//
UCHAR QpcSystemTimeIncrementShift;
//
// The scaling shift count applied to the performance counter interrupt time
// increment.
//
UCHAR QpcInterruptTimeIncrementShift;
//
// The count of unparked processors.
//
USHORT UnparkedProcessorCount;
//
// A bitmask of enclave features supported on this system.
//
// N.B. This field must be accessed via the RtlIsEnclareFeaturePresent API for an
// accurate result.
//
ULONG EnclaveFeatureMask[4];
//
// Current coverage round for telemetry based coverage.
//
ULONG TelemetryCoverageRound;
//
// The following field is used for ETW user mode global logging
// (UMGL).
//
USHORT UserModeGlobalLogger[16];
//
// Settings that can enable the use of Image File Execution Options
// from HKCU in addition to the original HKLM.
//
ULONG ImageFileExecutionOptions;
//
// Generation of the kernel structure holding system language information
//
ULONG LangGenerationCount;
//
// Reserved (available for reuse).
//
ULONGLONG Reserved4;
//
// Current 64-bit interrupt time bias in 100ns units.
//
volatile ULONGLONG InterruptTimeBias;
//
// Current 64-bit performance counter bias, in performance counter units
// before the shift is applied.
//
volatile ULONGLONG QpcBias;
//
// Number of active processors and groups.
//
ULONG ActiveProcessorCount;
volatile UCHAR ActiveGroupCount;
//
// Reserved (available for re-use).
//
UCHAR Reserved9;
union {
USHORT QpcData;
struct {
//
// A boolean indicating whether performance counter queries
// can read the counter directly (bypassing the system call).
//
volatile UCHAR QpcBypassEnabled;
//
// Shift applied to the raw counter value to derive the
// QPC count.
//
UCHAR QpcShift;
};
};
LARGE_INTEGER TimeZoneBiasEffectiveStart;
LARGE_INTEGER TimeZoneBiasEffectiveEnd;
//
// Extended processor state configuration
//
XSTATE_CONFIGURATION XState;
KSYSTEM_TIME FeatureConfigurationChangeStamp;
ULONG Spare;
} KUSER_SHARED_DATA, * PKUSER_SHARED_DATA;
#include <poppack.h>
//
// Mostly enforce earlier comment about the stability and
// architecture-neutrality of this struct.
//
#if !defined(__midl) && !defined(MIDL_PASS)
//
// Assembler logic assumes a zero value for syscall and a nonzero value for
// int 2e, and that no other values exist presently for the SystemCall field.
//
C_ASSERT(SYSTEM_CALL_SYSCALL == 0);
C_ASSERT(SYSTEM_CALL_INT_2E == 1);
//
// The overall size can change, but it must be the same for all architectures.
//
C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, TickCountLowDeprecated) == 0x0);
C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, TickCountMultiplier) == 0x4);
C_ASSERT(__alignof(KSYSTEM_TIME) == 4);
C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, InterruptTime) == 0x08);
C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, SystemTime) == 0x014);
C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, TimeZoneBias) == 0x020);
C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, ImageNumberLow) == 0x02c);
C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, ImageNumberHigh) == 0x02e);
C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, NtSystemRoot) == 0x030);
C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, MaxStackTraceDepth) == 0x238);
C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, CryptoExponent) == 0x23c);
C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, TimeZoneId) == 0x240);
C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, LargePageMinimum) == 0x244);
C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, AitSamplingValue) == 0x248);
C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, AppCompatFlag) == 0x24c);
C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, RNGSeedVersion) == 0x250);
C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, GlobalValidationRunlevel) == 0x258);
C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, TimeZoneBiasStamp) == 0x25c);
C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, NtBuildNumber) == 0x260);
C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, NtProductType) == 0x264);
C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, ProductTypeIsValid) == 0x268);
C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, NativeProcessorArchitecture) == 0x26a);
C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, NtMajorVersion) == 0x26c);
C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, NtMinorVersion) == 0x270);
C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, ProcessorFeatures) == 0x274);
C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, Reserved1) == 0x2b4);
C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, Reserved3) == 0x2b8);
C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, TimeSlip) == 0x2bc);
C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, AlternativeArchitecture) == 0x2c0);
C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, SystemExpirationDate) == 0x2c8);
C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, SuiteMask) == 0x2d0);
C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, KdDebuggerEnabled) == 0x2d4);
C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, MitigationPolicies) == 0x2d5);
C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, CyclesPerYield) == 0x2d6);
C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, ActiveConsoleId) == 0x2d8);
C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, DismountCount) == 0x2dc);
C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, ComPlusPackage) == 0x2e0);
C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, LastSystemRITEventTickCount) == 0x2e4);
C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, NumberOfPhysicalPages) == 0x2e8);
C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, SafeBootMode) == 0x2ec);
C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, VirtualizationFlags) == 0x2ed);
C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, Reserved12) == 0x2ee);
#if defined(_MSC_EXTENSIONS)
C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, SharedDataFlags) == 0x2f0);
#endif
C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, TestRetInstruction) == 0x2f8);
C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, QpcFrequency) == 0x300);
C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, SystemCall) == 0x308);
C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, Reserved2) == 0x30c);
C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, SystemCallPad) == 0x310);
#if defined(_MSC_EXTENSIONS)
C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, TickCount) == 0x320);
C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, TickCountQuad) == 0x320);
#endif
C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, Cookie) == 0x330);
C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, ConsoleSessionForegroundProcessId) == 0x338);
C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, TimeUpdateLock) == 0x340);
C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, BaselineSystemTimeQpc) == 0x348);
C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, BaselineInterruptTimeQpc) == 0x350);
C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, QpcSystemTimeIncrement) == 0x358);
C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, QpcInterruptTimeIncrement) == 0x360);
C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, QpcSystemTimeIncrementShift) == 0x368);
C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, QpcInterruptTimeIncrementShift) == 0x369);
C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, UnparkedProcessorCount) == 0x36a);
C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, EnclaveFeatureMask) == 0x36c);
C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, TelemetryCoverageRound) == 0x37c);
C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, UserModeGlobalLogger) == 0x380);
C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, ImageFileExecutionOptions) == 0x3a0);
C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, LangGenerationCount) == 0x3a4);
C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, Reserved4) == 0x3a8);
C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, InterruptTimeBias) == 0x3b0);
C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, QpcBias) == 0x3b8);
C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, ActiveProcessorCount) == 0x3c0);
C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, ActiveGroupCount) == 0x3c4);
C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, Reserved9) == 0x3c5);
C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, QpcData) == 0x3c6);
C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, QpcBypassEnabled) == 0x3c6);
C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, QpcShift) == 0x3c7);
C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, TimeZoneBiasEffectiveStart) == 0x3c8);
C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, TimeZoneBiasEffectiveEnd) == 0x3d0);
C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, XState) == 0x3d8);
#if !defined(WINDOWS_IGNORE_PACKING_MISMATCH)
C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, FeatureConfigurationChangeStamp) == 0x720);
C_ASSERT(sizeof(KUSER_SHARED_DATA) == 0x730);
#endif
#endif /* __midl | MIDL_PASS */
#ifndef SharedUserData
#define SharedUserData USER_SHARED_DATA
#endif
#endif // _KERNEL_MODE
#define USER_SHARED_DATA ((KUSER_SHARED_DATA * const)0x7ffe0000)
//
// Locale
//
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
NtQueryDefaultLocale(
_In_ BOOLEAN UserProfile,
_Out_ PLCID DefaultLocaleId
);
_IRQL_requires_max_(PASSIVE_LEVEL)
NTSYSAPI
NTSTATUS
NTAPI
ZwQueryDefaultLocale(
_In_ BOOLEAN UserProfile,
_Out_ PLCID DefaultLocaleId
);
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
NtSetDefaultLocale(
_In_ BOOLEAN UserProfile,
_In_ LCID DefaultLocaleId
);
_IRQL_requires_max_(PASSIVE_LEVEL)
NTSYSAPI
NTSTATUS
NTAPI
ZwSetDefaultLocale(
_In_ BOOLEAN UserProfile,
_In_ LCID DefaultLocaleId
);
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
NtQueryInstallUILanguage(
_Out_ LANGID* InstallUILanguageId
);
_IRQL_requires_max_(PASSIVE_LEVEL)
NTSYSAPI
NTSTATUS
NTAPI
ZwQueryInstallUILanguage(
_Out_ LANGID* InstallUILanguageId
);
#if (NTDDI_VERSION >= NTDDI_VISTA)
// private
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
NtFlushInstallUILanguage(
_In_ LANGID InstallUILanguage,
_In_ ULONG SetComittedFlag
);
_IRQL_requires_max_(PASSIVE_LEVEL)
NTSYSAPI
NTSTATUS
NTAPI
ZwFlushInstallUILanguage(
_In_ LANGID InstallUILanguage,
_In_ ULONG SetComittedFlag
);
#endif
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
NtQueryDefaultUILanguage(
_Out_ LANGID* DefaultUILanguageId
);
_IRQL_requires_max_(PASSIVE_LEVEL)
NTSYSAPI
NTSTATUS
NTAPI
ZwQueryDefaultUILanguage(
_Out_ LANGID* DefaultUILanguageId
);
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
NtSetDefaultUILanguage(
_In_ LANGID DefaultUILanguageId
);
_IRQL_requires_max_(PASSIVE_LEVEL)
NTSYSAPI
NTSTATUS
NTAPI
ZwSetDefaultUILanguage(
_In_ LANGID DefaultUILanguageId
);
#if (NTDDI_VERSION >= NTDDI_VISTA)
// private
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
NtIsUILanguageComitted(
VOID
);
_IRQL_requires_max_(PASSIVE_LEVEL)
NTSYSAPI
NTSTATUS
NTAPI
ZwIsUILanguageComitted(
VOID
);
#endif
//
// NLS
//
// begin_private
#if (NTDDI_VERSION >= NTDDI_VISTA)
#if (NTDDI_VERSION >= NTDDI_WIN7)
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
NtInitializeNlsFiles(
_Out_ PVOID* BaseAddress,
_Out_ PLCID DefaultLocaleId,
_Out_ PLARGE_INTEGER DefaultCasingTableSize
);
_IRQL_requires_max_(PASSIVE_LEVEL)
NTSYSAPI
NTSTATUS
NTAPI
ZwInitializeNlsFiles(
_Out_ PVOID* BaseAddress,
_Out_ PLCID DefaultLocaleId,
_Out_ PLARGE_INTEGER DefaultCasingTableSize
);
#else
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
NtInitializeNlsFiles(
_Out_ PVOID* BaseAddress,
_Out_ PLCID DefaultLocaleId,
_Out_ PLARGE_INTEGER DefaultCasingTableSize,
_Out_opt_ PULONG CurrentNLSVersion
);
_IRQL_requires_max_(PASSIVE_LEVEL)
NTSYSAPI
NTSTATUS
NTAPI
ZwInitializeNlsFiles(
_Out_ PVOID* BaseAddress,
_Out_ PLCID DefaultLocaleId,
_Out_ PLARGE_INTEGER DefaultCasingTableSize,
_Out_opt_ PULONG CurrentNLSVersion
);
#endif
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
NtGetNlsSectionPtr(
_In_ ULONG SectionType,
_In_ ULONG SectionData,
_In_ PVOID ContextData,
_Out_ PVOID* SectionPointer,
_Out_ PULONG SectionSize
);
_IRQL_requires_max_(PASSIVE_LEVEL)
NTSYSAPI
NTSTATUS
NTAPI
ZwGetNlsSectionPtr(
_In_ ULONG SectionType,
_In_ ULONG SectionData,
_In_ PVOID ContextData,
_Out_ PVOID* SectionPointer,
_Out_ PULONG SectionSize
);
#if (NTDDI_VERSION < NTDDI_WIN7)
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
NtAcquireCMFViewOwnership(
_Out_ PULONGLONG TimeStamp,
_Out_ PBOOLEAN tokenTaken,
_In_ BOOLEAN replaceExisting
);
_IRQL_requires_max_(PASSIVE_LEVEL)
NTSYSAPI
NTSTATUS
NTAPI
ZwAcquireCMFViewOwnership(
_Out_ PULONGLONG TimeStamp,
_Out_ PBOOLEAN tokenTaken,
_In_ BOOLEAN replaceExisting
);
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
NtReleaseCMFViewOwnership(
VOID
);
_IRQL_requires_max_(PASSIVE_LEVEL)
NTSYSAPI
NTSTATUS
NTAPI
ZwReleaseCMFViewOwnership(
VOID
);
#endif
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
NtMapCMFModule(
_In_ ULONG What,
_In_ ULONG Index,
_Out_opt_ PULONG CacheIndexOut,
_Out_opt_ PULONG CacheFlagsOut,
_Out_opt_ PULONG ViewSizeOut,
_Out_opt_ PVOID* BaseAddress
);
_IRQL_requires_max_(PASSIVE_LEVEL)
NTSYSAPI
NTSTATUS
NTAPI
ZwMapCMFModule(
_In_ ULONG What,
_In_ ULONG Index,
_Out_opt_ PULONG CacheIndexOut,
_Out_opt_ PULONG CacheFlagsOut,
_Out_opt_ PULONG ViewSizeOut,
_Out_opt_ PVOID* BaseAddress
);
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
NtGetMUIRegistryInfo(
_In_ ULONG Flags,
_Inout_ PULONG DataSize,
_Out_ PVOID Data
);
_IRQL_requires_max_(PASSIVE_LEVEL)
NTSYSAPI
NTSTATUS
NTAPI
ZwGetMUIRegistryInfo(
_In_ ULONG Flags,
_Inout_ PULONG DataSize,
_Out_ PVOID Data
);
#endif
// end_private
//
// Global atoms
//
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
NtAddAtom(
_In_reads_bytes_opt_(Length) PWSTR AtomName,
_In_ ULONG Length,
_Out_opt_ PRTL_ATOM Atom
);
_IRQL_requires_max_(PASSIVE_LEVEL)
NTSYSAPI
NTSTATUS
NTAPI
ZwAddAtom(
_In_reads_bytes_opt_(Length) PWSTR AtomName,
_In_ ULONG Length,
_Out_opt_ PRTL_ATOM Atom
);
#if (NTDDI_VERSION >= NTDDI_WIN8)
#define ATOM_FLAG_GLOBAL 0x2
// rev
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
NtAddAtomEx(
_In_reads_bytes_opt_(Length) PWSTR AtomName,
_In_ ULONG Length,
_Out_opt_ PRTL_ATOM Atom,
_In_ ULONG Flags
);
_IRQL_requires_max_(PASSIVE_LEVEL)
NTSYSAPI
NTSTATUS
NTAPI
ZwAddAtomEx(
_In_reads_bytes_opt_(Length) PWSTR AtomName,
_In_ ULONG Length,
_Out_opt_ PRTL_ATOM Atom,
_In_ ULONG Flags
);
#endif
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
NtFindAtom(
_In_reads_bytes_opt_(Length) PWSTR AtomName,
_In_ ULONG Length,
_Out_opt_ PRTL_ATOM Atom
);
_IRQL_requires_max_(PASSIVE_LEVEL)
NTSYSAPI
NTSTATUS
NTAPI
ZwFindAtom(
_In_reads_bytes_opt_(Length) PWSTR AtomName,
_In_ ULONG Length,
_Out_opt_ PRTL_ATOM Atom
);
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
NtDeleteAtom(
_In_ RTL_ATOM Atom
);
_IRQL_requires_max_(PASSIVE_LEVEL)
NTSYSAPI
NTSTATUS
NTAPI
ZwDeleteAtom(
_In_ RTL_ATOM Atom
);
typedef enum _ATOM_INFORMATION_CLASS
{
AtomBasicInformation,
AtomTableInformation
} ATOM_INFORMATION_CLASS;
typedef struct _ATOM_BASIC_INFORMATION
{
USHORT UsageCount;
USHORT Flags;
USHORT NameLength;
WCHAR Name[1];
} ATOM_BASIC_INFORMATION, * PATOM_BASIC_INFORMATION;
typedef struct _ATOM_TABLE_INFORMATION
{
ULONG NumberOfAtoms;
RTL_ATOM Atoms[1];
} ATOM_TABLE_INFORMATION, * PATOM_TABLE_INFORMATION;
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
NtQueryInformationAtom(
_In_ RTL_ATOM Atom,
_In_ ATOM_INFORMATION_CLASS AtomInformationClass,
_Out_writes_bytes_(AtomInformationLength) PVOID AtomInformation,
_In_ ULONG AtomInformationLength,
_Out_opt_ PULONG ReturnLength
);
_IRQL_requires_max_(PASSIVE_LEVEL)
NTSYSAPI
NTSTATUS
NTAPI
ZwQueryInformationAtom(
_In_ RTL_ATOM Atom,
_In_ ATOM_INFORMATION_CLASS AtomInformationClass,
_Out_writes_bytes_(AtomInformationLength) PVOID AtomInformation,
_In_ ULONG AtomInformationLength,
_Out_opt_ PULONG ReturnLength
);
//
// Global flags
//
#define FLG_STOP_ON_EXCEPTION 0x00000001 // uk
#define FLG_SHOW_LDR_SNAPS 0x00000002 // uk
#define FLG_DEBUG_INITIAL_COMMAND 0x00000004 // k
#define FLG_STOP_ON_HUNG_GUI 0x00000008 // k
#define FLG_HEAP_ENABLE_TAIL_CHECK 0x00000010 // u
#define FLG_HEAP_ENABLE_FREE_CHECK 0x00000020 // u
#define FLG_HEAP_VALIDATE_PARAMETERS 0x00000040 // u
#define FLG_HEAP_VALIDATE_ALL 0x00000080 // u
#define FLG_APPLICATION_VERIFIER 0x00000100 // u
#define FLG_POOL_ENABLE_TAGGING 0x00000400 // k
#define FLG_HEAP_ENABLE_TAGGING 0x00000800 // u
#define FLG_USER_STACK_TRACE_DB 0x00001000 // u,32
#define FLG_KERNEL_STACK_TRACE_DB 0x00002000 // k,32
#define FLG_MAINTAIN_OBJECT_TYPELIST 0x00004000 // k
#define FLG_HEAP_ENABLE_TAG_BY_DLL 0x00008000 // u
#define FLG_DISABLE_STACK_EXTENSION 0x00010000 // u
#define FLG_ENABLE_CSRDEBUG 0x00020000 // k
#define FLG_ENABLE_KDEBUG_SYMBOL_LOAD 0x00040000 // k
#define FLG_DISABLE_PAGE_KERNEL_STACKS 0x00080000 // k
#define FLG_ENABLE_SYSTEM_CRIT_BREAKS 0x00100000 // u
#define FLG_HEAP_DISABLE_COALESCING 0x00200000 // u
#define FLG_ENABLE_CLOSE_EXCEPTIONS 0x00400000 // k
#define FLG_ENABLE_EXCEPTION_LOGGING 0x00800000 // k
#define FLG_ENABLE_HANDLE_TYPE_TAGGING 0x01000000 // k
#define FLG_HEAP_PAGE_ALLOCS 0x02000000 // u
#define FLG_DEBUG_INITIAL_COMMAND_EX 0x04000000 // k
#define FLG_DISABLE_DBGPRINT 0x08000000 // k
#define FLG_CRITSEC_EVENT_CREATION 0x10000000 // u
#define FLG_LDR_TOP_DOWN 0x20000000 // u,64
#define FLG_ENABLE_HANDLE_EXCEPTIONS 0x40000000 // k
#define FLG_DISABLE_PROTDLLS 0x80000000 // u
#define FLG_VALID_BITS 0xfffffdff
#define FLG_USERMODE_VALID_BITS (FLG_STOP_ON_EXCEPTION | \
FLG_SHOW_LDR_SNAPS | \
FLG_HEAP_ENABLE_TAIL_CHECK | \
FLG_HEAP_ENABLE_FREE_CHECK | \
FLG_HEAP_VALIDATE_PARAMETERS | \
FLG_HEAP_VALIDATE_ALL | \
FLG_APPLICATION_VERIFIER | \
FLG_HEAP_ENABLE_TAGGING | \
FLG_USER_STACK_TRACE_DB | \
FLG_HEAP_ENABLE_TAG_BY_DLL | \
FLG_DISABLE_STACK_EXTENSION | \
FLG_ENABLE_SYSTEM_CRIT_BREAKS | \
FLG_HEAP_DISABLE_COALESCING | \
FLG_DISABLE_PROTDLLS | \
FLG_HEAP_PAGE_ALLOCS | \
FLG_CRITSEC_EVENT_CREATION | \
FLG_LDR_TOP_DOWN)
#define FLG_BOOTONLY_VALID_BITS (FLG_KERNEL_STACK_TRACE_DB | \
FLG_MAINTAIN_OBJECT_TYPELIST | \
FLG_ENABLE_CSRDEBUG | \
FLG_DEBUG_INITIAL_COMMAND | \
FLG_DEBUG_INITIAL_COMMAND_EX | \
FLG_DISABLE_PAGE_KERNEL_STACKS)
#define FLG_KERNELMODE_VALID_BITS (FLG_STOP_ON_EXCEPTION | \
FLG_SHOW_LDR_SNAPS | \
FLG_STOP_ON_HUNG_GUI | \
FLG_POOL_ENABLE_TAGGING | \
FLG_ENABLE_KDEBUG_SYMBOL_LOAD | \
FLG_ENABLE_CLOSE_EXCEPTIONS | \
FLG_ENABLE_EXCEPTION_LOGGING | \
FLG_ENABLE_HANDLE_TYPE_TAGGING | \
FLG_DISABLE_DBGPRINT | \
FLG_ENABLE_HANDLE_EXCEPTIONS)
//
// Licensing
//
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
NtQueryLicenseValue(
_In_ PUNICODE_STRING ValueName,
_Out_opt_ PULONG Type,
_Out_writes_bytes_to_opt_(DataSize, *ResultDataSize) PVOID Data,
_In_ ULONG DataSize,
_Out_ PULONG ResultDataSize
);
_IRQL_requires_max_(PASSIVE_LEVEL)
NTSYSAPI
NTSTATUS
NTAPI
ZwQueryLicenseValue(
_In_ PUNICODE_STRING ValueName,
_Out_opt_ PULONG Type,
_Out_writes_bytes_to_opt_(DataSize, *ResultDataSize) PVOID Data,
_In_ ULONG DataSize,
_Out_ PULONG ResultDataSize
);
//
// Misc.
//
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
NtSetDefaultHardErrorPort(
_In_ HANDLE DefaultHardErrorPort
);
_IRQL_requires_max_(PASSIVE_LEVEL)
NTSYSAPI
NTSTATUS
NTAPI
ZwSetDefaultHardErrorPort(
_In_ HANDLE DefaultHardErrorPort
);
typedef enum _SHUTDOWN_ACTION
{
ShutdownNoReboot,
ShutdownReboot,
ShutdownPowerOff
} SHUTDOWN_ACTION;
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
NtShutdownSystem(
_In_ SHUTDOWN_ACTION Action
);
_IRQL_requires_max_(PASSIVE_LEVEL)
NTSYSAPI
NTSTATUS
NTAPI
ZwShutdownSystem(
_In_ SHUTDOWN_ACTION Action
);
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
NtDisplayString(
_In_ PUNICODE_STRING String
);
_IRQL_requires_max_(PASSIVE_LEVEL)
NTSYSAPI
NTSTATUS
NTAPI
ZwDisplayString(
_In_ PUNICODE_STRING String
);
//
// Boot graphics
//
#if (NTDDI_VERSION >= NTDDI_WIN7)
// rev
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
NtDrawText(
_In_ PUNICODE_STRING Text
);
_IRQL_requires_max_(PASSIVE_LEVEL)
NTSYSAPI
NTSTATUS
NTAPI
ZwDrawText(
_In_ PUNICODE_STRING Text
);
#endif
//
// Executive
//
#ifdef _KERNEL_MODE
// Exception
NTSYSAPI
int
ExSystemExceptionFilter(
VOID
);
// Fast Mutex
NTSYSAPI
VOID
FASTCALL
ExEnterCriticalRegionAndAcquireFastMutexUnsafe(
_Inout_ PFAST_MUTEX FastMutex
);
// Push Lock
NTSYSAPI
VOID
FASTCALL
ExfAcquirePushLockExclusive(
_Inout_ PEX_PUSH_LOCK PushLock
);
NTSYSAPI
VOID
FASTCALL
ExfReleasePushLockExclusive(
_Inout_ PEX_PUSH_LOCK PushLock
);
NTSYSAPI
VOID
FASTCALL
ExfAcquirePushLockShared(
_Inout_ PEX_PUSH_LOCK PushLock
);
NTSYSAPI
VOID
FASTCALL
ExfReleasePushLockShared(
_Inout_ PEX_PUSH_LOCK PushLock
);
NTSYSAPI
BOOLEAN
FASTCALL
ExfTryAcquirePushLockShared(
_Inout_ PEX_PUSH_LOCK PushLock
);
NTSYSAPI
VOID
FASTCALL
ExfTryToWakePushLock(
_Inout_ PEX_PUSH_LOCK PushLock
);
NTSYSAPI
VOID
FASTCALL
ExfReleasePushLock(
_Inout_ PEX_PUSH_LOCK PushLock
);
// Cache Aware Push Lock
#define EX_CACHE_LINE_SIZE (128)
#define EX_PUSH_LOCK_FANNED_COUNT (PAGE_SIZE/EX_CACHE_LINE_SIZE)
typedef struct EX_PUSH_LOCK_CACHE_AWARE
{
PEX_PUSH_LOCK Locks[EX_PUSH_LOCK_FANNED_COUNT];
}*PEX_PUSH_LOCK_CACHE_AWARE;
NTSYSAPI
PEX_PUSH_LOCK_CACHE_AWARE
NTAPI
ExAllocateCacheAwarePushLock(
VOID
);
NTSYSAPI
VOID
NTAPI
ExFreeCacheAwarePushLock(
_Inout_ PEX_PUSH_LOCK_CACHE_AWARE PushLock
);
NTSYSAPI
VOID
NTAPI
ExAcquireCacheAwarePushLockExclusive(
_Inout_ PEX_PUSH_LOCK_CACHE_AWARE CacheAwarePushLock
);
NTSYSAPI
VOID
NTAPI
ExReleaseCacheAwarePushLockExclusive(
_Inout_ PEX_PUSH_LOCK_CACHE_AWARE CacheAwarePushLock
);
#endif // _KERNEL_MODE
VEIL_END()
#if _MSC_VER >= 1200
#pragma warning(pop)
#endif
Reference in New Issue View Git Blame Copy Permalink